add signed releases

[shibumi]

Fixes issue:
None

Description:
This PR adds signed releases via goreleaser and cosign. There are a few missing pieces we have to discuss:

1. Do we want to push the cosign private key into the repository (it's encrypted, but we could embedded it via github secrets)
2. Who should generate the private/public key pair

Furthermore, this PR adds a new in-toto version subcommand. Goreleaser does not support SOURCE_DATE_EPOCH for reproducible builds yet, but a PR for this problem is already open: goreleaser/goreleaser#2510

Please verify and check that the pull request fulfills the following
requirements:

• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[SantiagoTorres]

Looking good!

[SantiagoTorres]

Huh this is an interesting way to set the vars. It does seem to be a simple way to do it though...

[shibumi]

I thought about generating a JSON out of this, like kubectl does... would this format be better?

[shibumi]

I have made the following changes:

• We now load the cosign private key via github secrets. Shout-out to @dirien for the workflow :)
• We use the commitDate instead of Date, thus making the build reproducible.

What needs to be done for getting this merged:

1. I need to remove the cosign.pub key from this PR
2. We need to somehow upload a new cosign.pub key and put it in this repository. @SantiagoTorres do you want to be our 'master' key holder or can we even use TUF for this with you as root key holder (has TUF cosign support?!).
3. In the last step the key holder needs to update the github repository secrets. We need the following two variables:

• COSIGN_PWD: The password of the cosign private key
• COSIGN_KEY: The private key for cosign

[shibumi]

I think is ready to merge.. I have removed my test cosign public key. The new master key holder has to push the public key to the repository for enabling the releases via cosign

[shibumi]

Hello everybody,
I have updated my PR for in-toto-golang releases. #128
Instead of using static keys in the Github secret store we are now directly using the Github Actions OIDC issuer. The OIDC issuer provides a workload identity to the github Actions pipeline and signs the binaries with ephemeral public keys. cosign 1.3.0 does not support to store the public keys on disk, hence we have only a signature. The signature alone is not enough to validate the the binaries. The next cosign release will get functionality to automatically retrieve the public key from the rekor transparency log. However, sometimes it is nicer to have the public certificate offline, as well. Hence, I wrote a PR for cosign that implements the missing functionality for storing the public key on disk: sigstore/cosign#1016

Note: The OIDC-Issuer feature is still considered experimental + the public rekor instance may change.

[developer-guy]

friendly ping @shibumi, you might want to take a look at 👇
goreleaser/goreleaser#2659 (comment)

[shibumi]

@developer-guy I have force-pushed to this branch. Have a look.

[developer-guy]

@developer-guy I have force-pushed to this branch. Have a look.

LGTM @shibumi, thank you.

[shibumi]

I have added SBOM generation and updated the goreleaser version