release: switch signing sidecars to sigstore bundles

[kdy1]

Summary

• switch shared release signing from legacy .sig / .pem sidecars to Sigstore bundle sidecars
• update direct installers to verify *.sigstore.json bundles with cosign verify-blob --bundle
• align release contracts and public docs with the new bundle-only direct install flow

Evidence

• fixes the release-nodeup failure in GitHub Actions where cosign v3.0.5 rejected the old sign-blob invocation
• local smoke test with cosign v3.0.5 now produces SHA256SUMS plus *.sigstore.json and verifies successfully

Current Gap

• release automation still emitted legacy sidecars that are incompatible with the current cosign behavior
• direct installer scripts and docs still referenced .sig / .pem artifacts

Proposed Scope

• update scripts/release/generate-checksums.sh to emit bundle sidecars only
• update shell and PowerShell direct installers for nodeup, derun, and dexdex
• update docs and public docs pages to document bundle-only direct installs

Acceptance Criteria

• release workflows publish SHA256SUMS and *.sigstore.json sidecars without legacy .sig / .pem files
• direct installers verify bundle sidecars successfully
• docs and public docs match the new release artifact contract

Test Scenarios

• bash -n scripts/release/generate-checksums.sh scripts/install/nodeup.sh scripts/install/derun.sh scripts/install/dexdex-stack.sh
• local cosign v3.0.5 smoke test for bundle generation and verify-blob --bundle
• pnpm --filter public-docs test

Out of Scope

• republishing nodeup@v0.1.10
• legacy installer fallback for historical .sig / .pem-only releases