Verify cosign signatures on images in the container registry
Summary
In order to display signature information for images signed with cosign (&7856),
we need Rails to be able to verify cosign signatures. The tags index will begin outputting referrer information with container-registry#1009 (closed). For a given referrer with the artifactType of application/vnd.dev.cosign.artifact.sig.v1+json
, we need to be able to fetch all of the related signature data from the registry and verify the signature.