feat(sign): support for sigstore bundle format

[brandtkeller]

Description

Migrates Zarf package signing to the Sigstore bundle format, aligning with Cosign v3 standards and improving signature portability and verification capabilities.

Changes

The signing implementation now defaults to NewBundleFormat: true and generates both legacy signature files and the new bundle format (saved as zarf.bundle.sig). The SignPackage() function automatically configures the bundle path through the BundlePath option, ensuring all signing operations produce both formats for backward compatibility.

Verification logic implements a fallback strategy that prefers the bundle format over legacy signatures. When verifying packages, the system first checks for a bundle file, and if not found, falls back to the legacy signature format with a deprecation warning to inform users of the transition. Validation Package integrity checks now exclude bundle files from validation, treating them similarly to how legacy signature files are handled to prevent false validation errors.

The implementation maintains dual format support by generating both bundle and legacy signatures during signing operations. This enables a graceful migration path where verification prefers the modern bundle format but seamlessly falls back to legacy signatures with appropriate warnings. The bundle format is now enabled by default, aligning Zarf with Cosign v3 standards.

The bundle format significantly improves verification capabilities by including timestamps and transparency log entries, which enables verification of packages signed with short-lived certificates even after expiration. Existing packages with legacy signatures remain fully functional while new signatures automatically use the modern format. This sets the foundation for eventually deprecating legacy signature support.

Related Issue

Fixes #4296
Fixes #4276

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	48df3d1
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/69680cd9bd0cb0000856662a

[codecov]

Codecov Report

❌ Patch coverage is 46.15385% with 49 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/pkg/utils/trustedroot.go	51.16%	15 Missing and 6 partials ⚠️
src/pkg/utils/cosign.go	0.00%	17 Missing ⚠️
src/pkg/packager/layout/package.go	64.51%	8 Missing and 3 partials ⚠️

Files with missing lines	Coverage Δ
src/pkg/packager/layout/package.go	62.92% <64.51%> (+0.36%)	⬆️
src/pkg/utils/cosign.go	0.00% <0.00%> (ø)
src/pkg/utils/trustedroot.go	51.16% <51.16%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[brandtkeller]

Note the intent to deprecate the standard signature file at some point in the future. Allowing backwards compatibility while shifting all new package creations to using the bundle format.