use keyless approach while signing and verifying GoReleaser checksums.txt file

[developer-guy]

Is your feature request related to a problem? Please describe.
It is not related to a problem.

Describe the solution you'd like
A similar approach has been taken in cosign project¹, thanks to @cpanato. Now, we can use this approach while signing and verifying the checksums.txt file of the GoReleaser.

Also thanks to @cpanato, he already prepared a repository² to show people how they can keyless approach with GoReleaser.

Describe alternatives you've considered

• We should remove both cosign.key and cosign.pub files.
• We should enable cosign's experimental mode by providing the COSIGN_EXPERIMENTAL environment variable.
• We should output the certificate while signing the blob, and upload this certificate to the releases.
• We can use this certificate while verifying the checksums.txt.sig file.

Additional context
Add any other context or screenshots about the feature request here.

cc: @caarlos0 @dirien @Dentrax

Footnotes

1. https://github.com/sigstore/cosign/pull/1111 ↩

2. https://github.com/caarlos0-graveyard/gorel-keyless ↩

[developer-guy]

similar projects that try to achieve the same thing:

• Sign released ko binaries ko-build/ko#491

[caarlos0]

pushed what I had laying around on my stash here... cc/ @developer-guy