fix(install): detect outdated cosign before attestation verification (#337)

[lockwobr]

Summary

• Check installed cosign version against minimum required (v3.0.4) before attempting attestation verification
• Show a clear upgrade message when cosign is too old, instead of a generic "verification failed" error
• Capture and display cosign stderr on verification failure for easier debugging

Test plan

• Old cosign (v2.4.0) — warns about outdated version with upgrade link
• Current cosign (v3.1.0) — passes version check; on failure shows actual cosign error
• Exact minimum (v3.0.4) — treated as acceptable
• Unparseable version — falls through to attempt verification (safe default)
• No cosign installed — existing "cosign not found" message unchanged
• shellcheck clean (no new warnings)

Closes #337

Testing

Did some mocking to the logic out:

=== Test 1: Old cosign (v2.4.0) ===
  Detected version: v2.4.0
  ! Installed cosign version (v2.4.0) is older than the minimum required (v3.0.4)
    Update cosign to verify provenance: https://docs.sigstore.dev/cosign/system_config/installation/
  Correctly caught old version

=== Test 2: Current cosign (v3.1.0) ===
  Detected version: v3.1.0
  Correctly passed version check (would proceed to verify)
  ! Attestation verification failed — cannot confirm binary provenance
    cosign: some verify error detail
  Stderr captured and displayed

=== Test 3: Exact minimum version (v3.0.4) ===
  Detected version: v3.0.4
  Correctly passed (equal to minimum)

=== Test 4: Version not parseable ===
  Detected version: ''
  Correctly fell through to verification (version unknown)

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Refactoring (no functional changes)
• Build/CI/tooling

Risk Assessment

• Low — Isolated change, well-tested, easy to revert
• Medium — Touches multiple components or has broader impact
• High — Breaking change, affects critical paths, or complex rollout

Rollout notes:

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality
• I updated docs if user-facing behavior changed
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S) — GPG signing info

[github-actions]

Coverage Report ✅

Metric	Value
Coverage	73.3%
Threshold	70%
Status	Pass

Coverage Badge

![Coverage](https://img.shields.io/badge/coverage-73.3%25-green)

No Go source files changed in this PR.