Enable signature verification of OCI artifacts against self-hosted
Sigstore infrastructure (custom Fulcio CA, self-hosted Rekor instance)
by introducing a trustedRootSecretRef field on the verify spec.

When set, the controller reads a trusted_root.json from the referenced
Secret, extracts the Rekor URL from the transparency log entries, and
creates a verifier using the custom trusted material instead of the
public Sigstore TUF root.

Signed-off-by: Pierre-Gilles Mialon <pierre-gilles.mialon@qube-rt.com>