Sign release artifacts using sigstore

[tammersaleh]

Requires #60

[spkane]

done. We are using the keyless process that is documented here:

https://github.com/sigstore/cosign/blob/main/KEYLESS.md

Notes on how to verify these keys has been added to the standard github release notes (each release that we do).

Details can be seen in the ci.yaml under .github/workflows