Add support for signing and validating OCI packages

[lann]

https://docs.sigstore.dev/cosign/signing/signing_with_containers/

WASI packages are already being signed as part of the publish workflow: https://github.com/WebAssembly/wasi-http/blob/ed620562ee1d089a20aa67cd7790782d03f2f505/.github/workflows/publish-0.3.yml#L71-L72

It should be relatively straightforward to validate these signatures with the sigstore crate.