Verify container image signatures using cosign

[JamieMagee]

Once dependabot/dependabot-core#9546 is completed for production images, we should verify the container image signatures.

This can be done with cosign. See sigstore's documentation on signature verification for information¹, though we may be able to use cosign as a go library directly, instead of using the CLI.

Footnotes

1. https://docs.sigstore.dev/verifying/verify/ ↩

[JamieMagee]

Production images are now signed with cosign and can be verified

$ cosign verify \
  ghcr.io/dependabot/dependabot-updater-bundler:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-latest.yml@refs/heads/main

Verification for ghcr.io/dependabot/dependabot-updater-bundler:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
...

[JamieMagee]

OpenTelemetry containers are also signed with cosign:

$ cosign verify \
  docker.io/otel/opentelemetry-collector-contrib:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/open-telemetry/opentelemetry-collector-releases/.github
/workflows/base-release.yaml@refs/tags/v0.99.0

Verification for index.docker.io/otel/opentelemetry-collector-contrib:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
...