Is your feature request related to a problem? Please describe.

The scorecard GH action is detecting that my last 5 releases don't have signed artifacts, though they do have .sigstore bundles.

Describe the solution you'd like

The .sigstore extension should flag a signed artifact.

Describe alternatives you've considered

Can't think of any 😅

Additional context

• Support generating and verifying with "Sigstore" bundles sigstore/sigstore-python#251