Set bundleVerified to true after Rekor verification (Resolves #3740)

[maxlambrecht]

Summary

This PR addresses an issue where the bundleVerified flag was not set to true after a successful online Rekor verification. The change ensures that bundleVerified accurately reflects the verification status when Rekor lookup is used.

Resolves #3740

Release Note

Documentation

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 1 line in your changes missing coverage. Please review.

Project coverage is 36.59%. Comparing base (2ef6022) to head (65969ae).
Report is 135 commits behind head on main.

Files	Patch %	Lines
pkg/cosign/verify.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3745      +/-   ##
==========================================
- Coverage   40.10%   36.59%   -3.51%     
==========================================
  Files         155      200      +45     
  Lines       10044    12220    +2176     
==========================================
+ Hits         4028     4472     +444     
- Misses       5530     7202    +1672     
- Partials      486      546      +60     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

Thanks! Can you add a test for this? I think you just need to check what's returned by a code block like

cosign/pkg/cosign/verify_test.go

Lines 553 to 556 in 65969ae

	if _, err := VerifyImageSignature(context.TODO(), ociSig, v1.Hash{}, &CheckOpts{
	SigVerifier: sv,
	RekorClient: mClient,
	Identities: []Identity{{Subject: "subject@mail.com", Issuer: "oidc-issuer"}},

.

If adding this test isn't straightforward, that's fine, this is a simple enough change.