Implement keyless verification

[jiparis]

Currently, keyless signing is in production in experimental mode, as generated attestations are not yet verifiable (because generated certificate is not stored).

This task is for implementing the full verification scenario, following best practices.

[jiparis]

We will adopt sigstore approach for storing and verifying local bundles.

[jiparis]

See #990 for storing the verification material.