Verify the signatures during installation via install script

[leodido]

Describe the feature or problem you’d like to solve

The install script (install.sh) should verify the signatures before actually installing lstn.

Not sure whether we want this to be mandatory or optional, at the moment.

Proposed solution

Here's an openssl bases verification method:

# base64 decode the signature
base64 -d ~/Downloads/lstn_0.1.0_macos_amd64.tar.gz.sig > ~/Downloads/lstn_0.1.0_macos_amd64.tar.gz.decoded.sig
# base64 decode the key
base64 -d ~/Downloads/lstn_0.1.0_macos_amd64.pem > ~/Downloads/lstn_0.1.0_macos_amd64.decoded.pem
# convert the PEM to PUB
openssl x509 -in ~/Downloads/lstn_0.1.0_macos_amd64.decoded.pem -pubkey -noout > ~/Downloads/lstn_0.1.0_macos_amd64.pub
# verify
openssl dgst -sha256 -verify ~/Downloads/lstn_0.1.0_macos_amd64.pub -signature ~/Downloads/lstn_0.1.0_macos_amd64.tar.gz.decoded.sig ~/Downloads/lstn_0.1.0_macos_amd64.tar.gz
# Outputs: Verified OK

Otherwise it can be done with cosign:

COSIGN_EXPERIMENTAL=1 cosign verify-blob \
  --certificate ~/Downloads/lstn_0.1.0_macos_amd64.pem \
  --signature ~/Downloads/lstn_0.1.0_macos_amd64.tar.gz.sig \
  ~/Downloads/lstn_0.1.0_macos_amd64.tar.gz
# tlog entry verified with uuid: c8ba1bff17bee82890986cf9c1c867f6989b1a5b7454f828f3d3713049e34ede index: 14006913
# Verified OK

Additional context

NONE