Feature: plugin source verification

[FLimburg]

Implement plugin source verification to avoid:
Error: plugin source does not support verification. Use --verify=false to skip verification

This needs a provenance (.prov) file, which can be created during package creation with the --sign flag.
helm plugin package --sign --key "<your key identifier>" --keyring ~/.gnupg/secring.gpg <yout chart></
and verify the plugin:
helm plugin verify <your chart>.tgz

But since we are using goreleaser at the moment:
https://goreleaser.com/ci/actions/#workflow
https://goreleaser.com/customization/sign/

[FLimburg]

Files listed in .prov ( cm-push-v0.11.2.tgz, is the auto created output filename. Buildscript renames it) does not match os-arch specific filename (helm-push_v0.11.2_darwin_arm64)

Somehow latest release tag is still linking to v0.11.0 instead of current 0.11.2

Avoid installing git repo first, instead use archive only?

[FLimburg]

verification is not supported from repo install url.
each os/arch has now its own release including a .prov file for verification.
Installation from archive directly will not work.
The install script uses a verify step after download.