feat: verify release checksum and cosign signature (#550)

* feat: verify release checksum and cosign signature

Download checksums.txt for the release and verify the SHA-256 of the
downloaded archive against it. When cosign is available in PATH, also
download checksums.txt.sigstore.json and verify the signature against
the goreleaser/goreleaser-pro release workflow identity. Both steps
degrade gracefully (with a warning) when the corresponding artifacts
or tooling are missing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: use install() for checksum e2e tests

Drop the http-client download helper from verifyChecksum integration
tests; call goreleaser.install() instead so the test exercises the
public API path and avoids duplicating download logic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/ci.yml

@@ -79,6 +79,9 @@ jobs:
         distribution:
           - goreleaser
           - goreleaser-pro
+        cosign:
+          - true
+          - false
     steps:
       -
         name: Checkout
@@ -90,6 +93,10 @@ jobs:
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
+      -
+        name: Install cosign
+        if: matrix.cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
       -
         name: GoReleaser
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}