Add UseSignedTimestamps to CheckOpts, refactor TSA options

[codysoyland]

Summary

This PR adds UseSignedTimestamps to CheckOpts and refactors TSA options to improve readability, consistency, and error handling.

This is partially split out of #3889, where we will need CheckOpts.UseSignedTimestamps in order to set the options needed by sigstore-go's verifier.

Release Note

Documentation

[codecov]

Codecov Report

Attention: Patch coverage is 18.18182% with 27 lines in your changes missing coverage. Please review.

Project coverage is 36.51%. Comparing base (2ef6022) to head (16e1820).
Report is 278 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/verify.go	11.11%	7 Missing and 1 partial ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go	14.28%	3 Missing and 3 partials ⚠️
cmd/cosign/cli/verify/verify_blob.go	44.44%	3 Missing and 2 partials ⚠️
cmd/cosign/cli/verify/verify.go	0.00%	3 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go	0.00%	3 Missing ⚠️
cmd/cosign/cli/verify.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4006      +/-   ##
==========================================
- Coverage   40.10%   36.51%   -3.60%     
==========================================
  Files         155      209      +54     
  Lines       10044    13347    +3303     
==========================================
+ Hits         4028     4873     +845     
- Misses       5530     7853    +2323     
- Partials      486      621     +135     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

This can be rebased to fix the conformance failure.

[haydentherapper]

This looks great, thanks for the cleanup!

When we document this change in the changelog, we should mention that it is a breaking API change if you're calling cosign.Verify with timestamps, but a) we have no semver for the API, and b) I don't think this is a common usecase.