chore: Add install tutorial with cosign check

[matglas]

What this PR does / why we need it

Add install tutorial with cosign check. This allows people to install and verify the witness release. The additional pem output is needed to allow cosign verify-blob to work.

The information that is in there is inspired by gittuf documentation that had it in there already. Thanks @adityasaky.

Which issue(s) this PR fixes (optional)

Fixes

• curl + exec install is bad practice #418

Acceptance Criteria Met

• Docs changes if needed
• Testing changes if needed
• All workflow checks passing (automatically enforced)
• All review conversations resolved (automatically enforced)
• DCO Sign-off

Special notes for your reviewer:

It could be an option to move the INSTALL.md to the docs folder and make it part of the website too. Open for feedback.

[netlify]

✅ Deploy Preview for witness-project ready!

Name	Link
🔨 Latest commit	691d2af
🔍 Latest deploy log	https://app.netlify.com/sites/witness-project/deploys/6751e02fb88d6500080f5b43
😎 Deploy Preview	https://deploy-preview-506--witness-project.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[kairoaraujo]

IMO, this should be the way we install using our install-witness.sh 😄

Of course, giving users details on installing it without the script is always good for clarity. A lot of folks don't like executing scripts blindly (even more folks from security 🤣 )

[jkjell]

With #508 merged, we can test after the next release is cut and merge the docs. 🎉

[adityasaky]

IMO, this should be the way we install using our install-witness.sh 😄

Personally, I think it might be better to get rid of this script. In the script, we can't assume people have cosign installed (the right way) either, so overall it's quite complicated to get it right. I think perhaps pointing to brew.sh etc might be more appropriate alongside the downloading pre-built binary + sig check steps added in this PR. Maybe we also get it listed on winget? cc @patzielinski who oversaw that for gittuf recently.

[patzielinski]

This looks to be a self-contained binary, so getting Witness onto Winget should be trivial. Note that version update pull requests need to be manually submitted to the Winget repo unlike Homebrew (unless a workflow is added to CI to automatically open PRs upon release - this requires a PAT to my knowledge)

See the manifests for gittuf here: https://github.com/microsoft/winget-pkgs/tree/master/manifests/g/gittuf/gittuf/0.6.2

[ChaosInTheCRD]

we can brew install witness now, but I reckon we should get this merged for now and follow up with getting this added (and further actions) later on.