cosign: switch to the new bundle signature format [ci skip]

The signature suffix (`.sigstore`) is subject to change. This is so new,
there is no documentation yet. Existing documentation and its pending
update do not mention or specify a suffix (or I couldn't find it.)
An internet or GitHub search also didn't help.

I've seen so far: .sigstore.json, .bundle, .sig

TODO: also update this in curl/curl-www once decided or before the next
release latest.

It's also an option to stay with the `.cosign` suffix and format, though
not recommended.

Ref: sigstore/cosign#4440
Ref: sigstore/sigstore-blog#89
Ref: sigstore/docs#385

Author: vszakats

README.md

@@ -20,7 +20,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
   ```
   Verify using:
   ```
-  cosign verify-blob --key cosign.pub.asc --signature curl-8.14.0-win64-mingw.tar.xz.cosign curl-8.14.0-win64-mingw.tar.xz
+  cosign verify-blob --key cosign.pub.asc --bundle curl-8.14.0-win64-mingw.tar.xz.sigstore curl-8.14.0-win64-mingw.tar.xz
   ```
 - Standalone `curl` tool and `libcurl` DLL. Static libraries included.
 - Required: Windows Vista with

_sign-pkg-cosign.sh

@@ -15,8 +15,8 @@ if [ -n "${COSIGN_PKG_KEY:-}" ] && \
   file="$1"
   echo "Package signing with cosign: '${file}'"
   tr -d '\n' <<EOF | \
-  cosign sign-blob -y --key="${COSIGN_PKG_KEY}" --output-signature="${file}.cosign" "${file}"
+  cosign sign-blob -y --key="${COSIGN_PKG_KEY}" --new-bundle-format=true --bundle="${file}".sigstore "${file}"
 ${COSIGN_PKG_KEY_PASS}
 EOF
-  chmod 0644 "${file}.cosign"  # cosign creates it with 0600
+  chmod 0644 "${file}".sigstore  # cosign creates it with 0600
 fi