Sign kpt functions by default using cosign

[developer-guy]

Describe your problem

Similar issue to what we have opened for Docker Extensions^1, at the time of writing this, Kpt functions are enforced by using container images, also, there might be different function providers than Google itself. So, this points out another problem, how will I know whether this function comes from a trusted authority? This is where the cosign tool from Sigstore comes to the rescue. By signing the Kpt functions with cosign, and based on those signatures created with cosign, we can enable badging them to show this is a trusted Kpt function, and you can verify it by running the cosign verify command, etc.

cc: @dentrax @dlorenc