Sign releaser artifacts, not only container manifests

The current goreleaser configuration leverages cosign to sign the
goreleaser container manifests using public sigstore infrastructure.
This is great!

This PR also signs the rest of the releaser artifacts (binaries, sbom
file, etc), so we can verify them using the aforementioned public
infrastructure. This is very useful for folks consuming the binaries
from the public GitHub releases.

Note that this assumes that the OIDC issuer is GitHub, and thus ties
this signature to be triggered a GitHub action.

Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>

goreleaser.yml

@@ -235,6 +235,21 @@ docker_manifests:
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le'
 
+signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  signature: "${artifact}.sig"
+  certificate: "${artifact}.pem"
+  args:
+    - "sign-blob"
+    - "--oidc-issuer=https://token.actions.githubusercontent.com"
+    - "--output-certificate=${certificate}"
+    - "--output-signature=${signature}"
+    - "${artifact}"
+  artifacts: all
+  output: true
+
 docker_signs:
 - cmd: cosign
   env: