Sign release assets and Docker images using Cosign

[kchudy]

1. Use Cosign Keyless Signing via GitHub OIDC for all Docker images. Add the following steps to the workflows.

- name: Install Cosign
   uses: sigstore/cosign-installer@v3.5.0

- name: Sign image with Cosign (keyless)
  run: cosign sign --keyless ghcr.io/${{ github.repository }}

Images should then be verifiable using

cosign verify --keyless ghcr.io/owner/repo:tag

2. Use similar approach to sign other assets (deb, rpm).

- name: Sign release files with Cosign (keyless)
  run: cosign sign-blob --yes --keyless "defguard-1.5.0-alpha1-x86_64-unknown-linux-gnu.deb" --output-signature "defguard-1.5.0-alpha1-x86_64-unknown-linux-gnu.deb.sig" --output-certificate "defguard-1.5.0-alpha1-x86_64-unknown-linux-gnu.deb.pem"

[teon]

If there are available Actions - we should definitely try to implement ASAP

[wojcik91]

@kchudy PoC of signing docker images: #1373

Is this something that we indeed want to pursue? It would probably require a better understanding of what's actually provided by sigstore.