Add cosign validation for bundle v0.3

[MarcosDY]

Summary

• Upgrades cosign dependency from v2 to v3.0.6 (not required)
• Adds support for Sigstore Bundle v0.3 verification (cosign v3 default format), using sigstore-go's verify.Verifier directly
• Adds an OCI referrers fallback tag path to handle registries that return HTTP 405 for the Referrers API (e.g. ghcr.io), bypassing the standard cosign path when needed
• Maintains backward compatibility with legacy cosign v2 signed images (.sig tag format) by detecting the errFallbackTagNotFound sentinel and surfacing the original error

How it works
When standard cosign verification fails, the verifier falls back to fetching the OCI referrers fallback tag (sha256-) directly. Each referrer manifest is inspected by artifact type:

• application/vnd.dev.cosign.artifact.sig.v1+json → legacy cosign v2 path (uses cosign.VerifyImageSignature)
• anything else → treated as Sigstore Bundle v0.3 (uses sigstore-go's verify.Verifier)

The sgVerifier and CertificateIdentity matchers (including regex compilation) are pre-built in Init() to avoid recreation on every Verify() call.