zarf package pull does not respect --key flag

[AustinAbro321]

Description

zarf package pull does not respect the --key flag. If a package is signed and an incorrect key is given or no key is given the package will still pull.

We could solve this either by removing the key flag or respecting it. The argument for removing the --key flag is that it's already required for signed packages for other commands such as zarf package deploy and zarf package inspect. However a user could still run zarf tools archiver decompress without using the flag. Additionally, if someone's doing a pull (with Internet) before they sneakernet a package into an air gap to do deploy it would be nice to give them a signature validation error early while they still have Internet access

Steps to reproduce

1. Publish a zarf package with zarf package publish zarf-package-helm-charts-amd64-0.0.1.tar.zst oci://ghcr.io/austinabro321 --signing-key=cosign.key
2. Pull down the signed package with zarf package pull oci://ghcr.io/austinabro321/local-sign/helm-charts:0.0.1 or zarf package pull oci://ghcr.io/austinabro321/helm-charts:0.0.1 --key=wrong-key.pub

Expected result

The package pull fails if no key is given or the wrong public key is given

Actual Result

The package pull succeeds without warning