feat(sign): implement support for sigstore bundle format

[brandtkeller]

Description

This is a backwards compatible change to update Zarf to using the sigstore bundle format for signatures when signing.

This sets the default signing options to empty strings for infrastructure endpoints - cementing zarfs stance on ensuring no unintentional data or network calls are made.

This is the first iteration towards ZEP-0053: Bundle format and migration and verification strategy. Intentionally establishing a baseline for compatibility with the bundle format before introducing more complexity in verification.

Packages will now include both a zarf.yaml.sig and a zarf.bundle.sig until we fully deprecate the legacy signature format. Given intent to support verification of the legacy format - it could be as little as multiple releases.

Validated that a package without the legacy signature performs verification as intended.

Additionally this adds a tutorial for package sign/verify for the current baseline.

Related Issue

Fixes #4296
Fixes #4276
Relates to zarf-dev/proposals#53

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs ready!

Name	Link
🔨 Latest commit	9d312fc
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/6979328713d7710008d311d9
😎 Deploy Preview	https://deploy-preview-4519--zarf-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 48 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/pkg/utils/cosign.go	0.00%	21 Missing ⚠️
src/cmd/package.go	0.00%	14 Missing ⚠️
src/pkg/packager/layout/package.go	62.85%	9 Missing and 4 partials ⚠️

Files with missing lines	Coverage Δ
src/pkg/packager/publish.go	64.49% <100.00%> (+0.42%)	⬆️
src/pkg/packager/layout/package.go	62.44% <62.85%> (-0.11%)	⬇️
src/cmd/package.go	37.62% <0.00%> (-0.22%)	⬇️
src/pkg/utils/cosign.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AustinAbro321]

Overall logic looks sound, I think the docs could be improved

[AustinAbro321]

As of this PR being merged it will no longer be generated for any new signatures correct?

[brandtkeller]

negative - the legacy format is still being generated as of this PR - but I am proposing a shorter timeline to removal (~2 releases).

[AustinAbro321]

Ah yeah that makes sense, I think it'd advocate for closer to six releases, that way newer packages are still verifiyable on older versions for around 3 months. Either way once this is merged lets make an issue to track the timeline of it being removed

[AustinAbro321]

Logic looks good, added a few more comments on documentation

[AustinAbro321]

Ah yeah that makes sense, I think it'd advocate for closer to six releases, that way newer packages are still verifiyable on older versions for around 3 months. Either way once this is merged lets make an issue to track the timeline of it being removed