v4.3.0: drop cosign signing — subtractive release containers/image cannot verify our keyless signatures at pull time (containers/container-libs#388 since Oct 2025, no fix landed). Signing without verification is ceremony; remove the ceremony. SBOM generation stays as real audit value. See basef README for the upstream blocker + monthly re-check + how-to-re-enable runbook.