feat: add binary verification script and documentation

[tgunnoe]

Add tooling for SPOs and operators to verify signed binary releases:

• scripts/verify-binary.sh: Wrapper script for cosign verify-blob
• docs/security/binary-verification.md: Documentation with prerequisites, examples, manual verification commands, and troubleshooting
• Update release checklist with binary verification step

Overview

🗹 TODO before merging

• Ready

📌 Submission Checklist

• Changes are backward-compatible (or flagged if breaking)
• Pull request description explains why the change is needed
• Self-reviewed the diff
• I have included a change file, or skipped for this reason:
• If the changes introduce a new feature, I have bumped the node minor version
• Update documentation (if relevant)
• Updated AGENTS.md if build commands, architecture, or workflows changed
• No new todos introduced

🧪 Testing Evidence

Please describe any additional testing aside from CI:

• Additional tests are provided (if possible)

🔱 Fork Strategy

• Node Runtime Update
• Node Client Update
• Other:
• N/A

Links

[github-actions]

KICS version: v2.1.16

Category Results CRITICAL 0 HIGH 0 MEDIUM 96 LOW 12 INFO 83 TRACE 0 TOTAL 191	Metric Values Files scanned 31 Files parsed 31 Files failed to scan 0 Total executed queries 73 Queries failed to execute 0 Execution time 9

[gilescope]

Doesn't this overlap with #645 ?

[tgunnoe]

Doesn't this overlap with #645 ?

I don't think so, that line of work was for OCI image signing and verification. this one is for the binaries extracted from them and released as tarballs

[tgunnoe]

this is a followup to #577
https://shielded.atlassian.net/browse/SRE-1798