feat(sigstore): scaffold opt-in signing surface (Round 2 #16)

Phase F (signed releases via sigstore) needs a key-management ADR
before it can ship in full. The scaffold + opt-in extras land
today so the surface is stable:

- pyproject.toml: new [sigstore] extras pulls sigstore>=3.0
- verify.sign_bundle_with_sigstore(bundle_path, dry_run=True):
  - Raises SecurityError if sigstore isn't installed (clear path:
    `pip install 'get-installer[sigstore]'`)
  - dry_run=True returns the planned .sigstore path; no signing
  - dry_run=False raises NotImplementedError with a pointer to
    SPEC Phase F. We prefer fail-loud to silent no-op.

When the ADR lands, the implementation slots in behind this same
signature and existing callers don't change.

Author: imanimanyara

pyproject.toml

@@ -47,6 +47,11 @@ dev = [
   "ruff>=0.9",
   "mypy>=1.13",
 ]
+# `pip install 'get-installer[sigstore]'` enables future signed-bundle
+# attestations (SPEC Phase F). Skeleton wired; full signing flow is
+# pending the key-management ADR (which signing identity, key
+# rotation, where the public verification key ships).
+sigstore = ["sigstore>=3.0"]
 
 [project.scripts]
 get-installer = "get_installer.__main__:main"

src/get_installer/verify.py

@@ -39,6 +39,43 @@ def _hardened_ssl_context() -> ssl.SSLContext:
     return ctx
 
 
+def sign_bundle_with_sigstore(
+    bundle_path: Path,
+    *,
+    dry_run: bool = True,
+) -> Path:
+    """Sign ``bundle_path`` with sigstore (SCAFFOLD — Phase F).
+
+    Wired today as a clean opt-in surface; full signing is pending
+    the key-management ADR. Install with::
+
+        pip install 'get-installer[sigstore]'
+
+    @param bundle_path  the installer.py to sign.
+    @param dry_run      no actual signing yet.
+    @return  the .sig path that would be written.
+    @raises SecurityError when sigstore is not installed.
+    @raises NotImplementedError when called with dry_run=False —
+        we'd rather fail loudly than silently produce a no-op.
+    """
+    try:
+        import sigstore  # type: ignore[import-not-found]  # noqa: F401  # optional [sigstore] extra
+    except ImportError as e:
+        raise SecurityError(
+            "Sigstore signing requires the sigstore package. "
+            "Install via: pip install 'get-installer[sigstore]'"
+        ) from e
+    sig_path = bundle_path.with_suffix(bundle_path.suffix + ".sigstore")
+    if dry_run:
+        return sig_path
+    raise NotImplementedError(
+        "Sigstore signing is pending the key-management ADR. The "
+        "scaffold + extras install are ready; the actual sign() call + "
+        "verification command land in a follow-up release. See "
+        "SPEC §4 Phase F for the design questions still open."
+    )
+
+
 def sha256_of(path: Path) -> str:
     h = hashlib.sha256()
     with open(path, "rb") as f: