Make sure cosign release signing takes rekor v2 change into account

[jku]

• the default signature transparency log (the one recommended by signingconfig) will be rekor v2 in the future New post about signing defaults change sigstore-blog#92
• cosign 3.x follows this default
• cosigns own release process should make sure that this is appropriate for cosign releases: cosign < 3.0.5 will not be able to verify signatures with rekor v2 entries (without using additional CLI flags)
• so possibly cosign releases still want to use rekor v1 for a while to make sure that bootstrapping is not painful

[jku]

cosign-installer especially uses the "blessed cosign version" to verify the requested cosign version: so current cosign-installer versions (<=4.0.0) will not be able to install cosign releases signed with rekor v2. This doesn't seem too bad assuming cosign-installer gets a new release that can do that and users have had time to upgrade