fix(cli): cosign signature verification fails with MANIFEST_UNKNOWN

[Aureliolo]

Summary

synthorg start and synthorg update fail with MANIFEST_UNKNOWN when verifying container image cosign signatures. The CLI tries to fetch .sig tags from the registry, but cosign v2+ keyless signing stores signatures in Rekor, not as OCI artifacts.

Root Cause

• CI (docker.yml): cosign sign --yes without --registry-referrers-mode pushes signatures to Rekor only, not the registry
• CLI (cosign.go): Fetches .sig tag from registry (sha256-<digest>.sig) -- the deprecated cosign v1 pattern

SLSA provenance works fine because provenance.go uses the OCI referrers API.

Error Output

Verifying ghcr.io/aureliolo/synthorg-backend:0.3.2...
  Resolved digest: sha256:3b6029ac...
image verification failed: verifying ghcr.io/aureliolo/synthorg-backend:0.3.2:
  cosign signature: fetching cosign signature for ghcr.io/aureliolo/synthorg-backend:0.3.2:
  GET .../manifests/sha256-3b6029ac....sig: MANIFEST_UNKNOWN: manifest unknown

Fix

1. CI: Add --registry-referrers-mode=oci-1-1 to all cosign sign commands so signatures are pushed as OCI referrers
2. CLI: Rewrite cosign.go to use OCI referrers API (same approach as provenance.go) instead of deprecated .sig tags

Acceptance Criteria

• CI pushes cosign signatures as OCI referrers (discoverable via remote.Referrers())
• CLI fetches cosign signatures via OCI referrers instead of .sig tags
• Old .sig tag code and cosignSigTag helper removed
• Tests updated for referrer-based approach
• cosign verify commands in release notes still work (cosign CLI auto-discovers referrers)

[coderabbitai]

🔗 Related PRs

#423 - ci: add SLSA L3 provenance for CLI binaries and container images [merged]
#424 - fix: replace slsa-github-generator with attest-build-provenance, fix DAST [merged]
#438 - fix: attach cosign signatures and provenance bundle to release assets [merged]
#443 - fix: use cosign --bundle flag for checksums signing [merged]
#456 - fix: export .intoto.jsonl provenance for OpenSSF Scorecard [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!