fix: SLSA cache signing retry and Rekor conflicts

[leodido]

Summary

Fixes leeway plumbing sign-cache resilience for SLSA cache signing without weakening fail-closed behavior.

• Adds bounded retry with jitter for transient Sigstore/Rekor signing failures, including HTTP/2 INTERNAL_ERROR, timeouts, temporary network failures, and 429/5xx transport-style failures.
• Adds --signing-retry-attempts and LEEWAY_SIGNING_RETRY_ATTEMPTS with conservative defaults and bounds.
• Handles Rekor v1 409 createLogEntryConflict only when Leeway can fetch the existing entry and prove it matches the exact DSSE payload/certificate/signature-derived canonical Rekor body being published.
• Keeps unverified Rekor conflicts fail-closed and prevents upload when no valid attestation bundle is produced.
• Adds focused retry, Rekor conflict, and command regression tests.

Validation

• PATH=/tmp/leeway-test-bin:/tmp/go/bin:$PATH go test ./cmd/... ./pkg/leeway/signing/... -count=1
  • ok github.com/gitpod-io/leeway/cmd 0.137s
  • ok github.com/gitpod-io/leeway/pkg/leeway/signing 5.790s
• PATH=/tmp/leeway-test-bin:/tmp/go/bin:$PATH go test ./...
  • passed
• PATH=/tmp/leeway-test-bin:/tmp/go/bin:$PATH go build -o /tmp/leeway-followup .
  • passed
• PATH=/tmp/leeway-test-bin:/tmp/go/bin:$PATH golangci-lint run ./cmd/... ./pkg/leeway/signing/...
  • reports only pre-existing unrelated findings in cmd/build.go, cmd/exec.go, cmd/experimental-unmount.go, cmd/sbom-export.go, and cmd/init.go; no findings remain in touched signing/sign-cache code.
• CGO_ENABLED=1 go test -race ./cmd/... ./pkg/leeway/signing/... -count=1
  • not runnable in this container because gcc is not installed (cgo: C compiler "gcc" not found).

Notes

The Rekor conflict recovery is implemented for Rekor v1, matching the observed createLogEntryConflict failure path. Rekor v2 remains on upstream Sigstore behavior because it has different duplicate semantics/API shape.