Add support for verifying root checksum in cosign initialize

[bkabrda]

Summary

The motivation for this PR is explained in and closes #3946 - the ability to verify initial root checksum when downloading via a URL.

Some notes:

• The DoInitialize function still works exactly the same; it's unused here, but may be used from elsewhere (like gitsign).
• Once this PR is merged, I will send another one to utilize the new functionality in gitsign as well.
• I wasn't sure what deprecation date to set here, so I'd be glad for advice.

Release Note

Add a new --root-checksum flag for cosign-initialize. This will ensure cosign verifies the checksum of the file provided via the --root argument before proceeding with initialization. Using this argument will be mandated in the future for initial root obtained from URL.

Documentation

I don't think this requires specific callout in docs, but do let me know if you think oterwise.

[codecov]

Codecov Report

Attention: Patch coverage is 47.91667% with 25 lines in your changes missing coverage. Please review.

Project coverage is 36.41%. Comparing base (2ef6022) to head (7bb0306).
Report is 243 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cosign/cli/initialize/init.go	0.00%	14 Missing ⚠️
pkg/blob/load.go	70.83%	5 Missing and 2 partials ⚠️
cmd/cosign/cli/options/initialize.go	0.00%	3 Missing ⚠️
cmd/cosign/cli/initialize.go	85.71%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3953      +/-   ##
==========================================
- Coverage   40.10%   36.41%   -3.69%     
==========================================
  Files         155      209      +54     
  Lines       10044    13426    +3382     
==========================================
+ Hits         4028     4889     +861     
- Misses       5530     7910    +2380     
- Partials      486      627     +141     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.