Support cosign verification cosign3 signed images

[Xynnn007]

Description

Currently, images signature using the Go version of cosign 3.x are actually uploaded as bundle 0.3 by default, and are bound to the signed image using the referrer API (OCI v1.1).

While for sigstore-rs, only tag-based-discovery for signature and simple signing payload is supported.