feat: verify cosign signatures in OCI-SIF

[dtrudg]

Description of the Pull Request (PR):

Adds a --cosign mode to singularity verify. In this mode:

• The digests of each OCI blob in an OCI SIF are verified vs descriptor data.
• For a single OCI image in the SIF, cosign signatures are verified using the provided public --key, and the payload checked for a match to the image digest.
• If no cosign signatures are valid with the provided key material, verify exits with a fatal error.
• If one or more cosign signatures are valid with the provided key material, verify outputs their payloads (JSON).

This fixes or addresses the following GitHub issues:

• Fixes Verify OCI-SIF (cosign/sigstore) #3493

Before submitting a PR, make sure you have done the following:

• Read the Guidelines for Contributing, and this PR conforms to the stated requirements.
• Added changes to the CHANGELOG if necessary according to the Contribution Guidelines
• Added tests to validate this PR, linted with make check and tested this PR locally with a make test, and make testall if possible (see CONTRIBUTING.md).
• Based this PR against the appropriate branch according to the Contribution Guidelines
• Added myself as a contributor to the Contributors File

[tri-adam]

LGTM, basic functionality working here:

$ singularity verify --cosign --key cosign.pub alpine.sif 
INFO:    Verifying image with sigstore/cosign signature, using key material from 'cosign.pub'
INFO:    Verifying digests for 6 OCI Blobs
INFO:    Image digest: sha256:0111d2449f7e37f4d29f606a71be1a9c0d2fe941c66c621953aa87fcc05b6802
INFO:    Image has 1 associated signatures
INFO:    Image has 1 signatures that are valid with provided key material
[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:0111d2449f7e37f4d29f606a71be1a9c0d2fe941c66c621953aa87fcc05b6802"},"type":"cosign container image signature"},"optional":{"creator":"Singularity-Ce/4.2.0 (Linux amd64) Go/1.23.2","timestamp":1738978687}}]