Add certificate definition to upload sigstore cert(s) from cosign

[evankanderson]

Summary

Ozz noticed that we hadn't included the sigstore certs needed to validate our signatures. Since we're using keyless signing, we make up public and private keys for the certificate on the spot, so we need to store the public key after the signing, or the signature is useless. It appears that we may need the certificate field set to upload these certs.

A few grumpy-man-yelling-at-clouds issues:

1. From the action output, it appears that we go and get a new certificate for each artifact, rather than using one cert to sign all the artifacts.
2. Actually verifying the blobs with cosign verify-blob is not well documented; I used something like:

   cosign verify-blob minder_0.0.59_darwin_arm64.tar.gz --certificate sigstore.pub --signature $(cat minder_0.0.59_darwin_arm64.tar.gz.sig) --certificate-identity 'https://github.com/stacklok/minder/.github/workflows/releaser.yml@refs/tags/v0.0.59' --certificate-oidc-issuer https://token.actions.githubusercontent.com
   

   Using the correct signature extracted from the workflow above.

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.