Add provenance information to packaging

[JAORMX]

It would be ideal if we could embed provenance information to the registry packaging so we could verify it before pulling the container image.

[ChrisJBurns]

Yes!!!!

[lukehinds]

sigstore-go has had full verification for a quite a while now, I think Rado hacked in there for a while.

[JAORMX]

We'll most likely leverage that when we implement this