jobs/release: sign OCI images

This uses the new `cosa sign --oci` switch to sign our OCI images using
the official Fedora GPG keys.

Part of coreos/fedora-coreos-tracker#1969.

I opted for not gating this behind a knob. It's safe to do this even on
streams that still use encapsulated commits (it's just files in S3). But
the earlier we do it, the more overlap we have in which both signature
types (OCI and OSTree) co-exist and that makes migration planning
easier.

Author: jlebon

jobs/release.Jenkinsfile

@@ -293,6 +293,16 @@ lock(resource: "release-${params.STREAM}", extra: locks) {
                             rm tmp/push-secret-${metajsonname}
                             """)
                         }
+                        pipeutils.tryWithMessagingCredentials() {
+                            pipeutils.shwrapWithAWSBuildUploadCredentials("""
+                            cosa sign --build=${newBuildID} \
+                                robosignatory --s3-sigstore ${s3_stream_dir}/sigs/oci \
+                                --aws-config-file \${AWS_BUILD_UPLOAD_CONFIG} \
+                                --extra-fedmsg-keys stream=${params.STREAM} \
+                                --oci=${metajsonname} --gpgkeypath /etc/pki/rpm-gpg \
+                                --fedmsg-conf=\${FEDORA_MESSAGING_CONF}
+                            """)
+                        }
                     }
                 }]}
             }