Explain Signing of Release assets in OCM Readme

[morri-son]

What would you like to be added: The information about the release process should contain an information on how the GoReleaser signs our assets with Cosign (config done here and how these signatures can be verified after download.

In addition to that, we should explain for what we use the central GPG key , which is currently only for Debian packages.

Why is this needed: Explanation about signing assets using Cosign is completely missing and the section https://github.com/open-component-model/ocm?tab=readme-ov-file#gpg-public-key its assume that the GPG key is used for much more than just publishing Debian packages on a public repository.

[jakobmoellerdev]

Consult with team in case of questions, anyone should be able to take this