docs: add the checksum of v2.0.0

[suzuki-shunsuke]

$ sha256sum slsa-verifier-linux-amd64 
8d2e93a9ea0126d5daec22f2778b42fea79192605d16955f0c91847c3a6a8921  slsa-verifier-linux-amd64

Signed-off-by: Shunsuke Suzuki suzuki.shunsuke.1989@gmail.com

[laurentsimon]

@ianlewis Can you add the relevant command used to verify the sha256 with provenance?
Like in #347

[ianlewis]

@ianlewis Can you add the relevant command used to verify the sha256 with provenance? Like in #347

Yes. Verified via both the binary and provenance subject.

$ sha256sum slsa-verifier-linux-amd64                                                                                                     
8d2e93a9ea0126d5daec22f2778b42fea79192605d16955f0c91847c3a6a8921  slsa-verifier-linux-amd64

$ jq -r '.payload' < slsa-verifier-linux-amd64.intoto.jsonl | base64 -d | jq '.subject[0]'
{
  "name": "slsa-verifier-linux-amd64",
  "digest": {
    "sha256": "8d2e93a9ea0126d5daec22f2778b42fea79192605d16955f0c91847c3a6a8921"
  }
}

[ianlewis]

Provenance for v2.0.0 also verified by the verifier at HEAD.

slsa-verifier$ go run ./cli/slsa-verifier verify-artifact slsa-verifier-linux-amd64 \
    --source-branch main \
    --source-tag v2.0.0 \
    --provenance-path slsa-verifier-linux-amd64.intoto.jsonl \
    --source-uri github.com/slsa-framework/slsa-verifier
Verified signature against tlog entry index 8254206 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a0d0655be7998e4a81dff692095c218075cd984f5a78509d24122a40ff1c16145
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.2 at commit 128324f48837d274fdb69870704477a8d2645b8d
PASSED: Verified SLSA provenance

It looks as though @asraa didn't use a release/v2.0.0 branch but tagged a commit on main.