GA: GPG + sigstore cosign-keyless signing pipeline + key-management runbook

[justinjoy]

Why (block)

#687 (v1.0.0 GA Epic) lists "Signed git tag (GPG + sigstore
cosign keyless)" as an exit condition but does not break out
the engineering work: key generation, OIDC trust policy,
publishing-platform configuration, key-rotation runbook, and
fallback if cosign-keyless is unavailable for a given runner.

If unfiled, this is discovered on tag day. Filing now so
v1.0.0 GA can land on schedule (due 2026-12-01).

Scope

• GPG signing:
  • Generate or designate the maintainer GPG key for tag
    signatures (4096-bit RSA or Ed25519).
  • Document fingerprint in docs/RELEASE_PROCESS.md.
  • Add the public key to GitHub's verified-signature pool
    (per maintainer profile).
  • git tag -s v1.0.0 ... becomes the canonical tag step.
• Sigstore cosign keyless:
  • Configure GitHub Actions OIDC token issuer.
  • Trust policy in Fulcio for the wirelog repo (
    repo:semantic-reasoning/wirelog).
  • cosign sign --keyless <artifact> for the source
    tarball, the SBOM files, and the ABI manifest.
• Runbook (docs/RELEASE_PROCESS.md or new
  docs/SIGNING.md):
  • Step-by-step tag-time signing procedure.
  • Verification recipe a downstream consumer can run.
  • Key-rotation procedure (what to do if the GPG key is
    compromised).
  • Fallback if cosign Fulcio is unreachable.

Acceptance

• GPG key generated/designated; fingerprint published.
• A test signed tag (v1.0.0-test) verifies via git verify-tag and cosign verify.
• Runbook drafted; reviewed by at least one maintainer.
• B19 (B19: at-tag CI re-verification of full matrix (Tier-1 + abi + sanitizer + perf) #749) workflow includes the signing step.

Cross-ref: #687, #685, #686.