[MGPG-130] - Update sigstore extension to ".sigstore.json"

[loosebazooka]

Sigstore uses ".sigstore.json" extension in all our plugins, ".sigstore" is no longer used.

Context: https://github.com/sigstore/sigstore-maven-plugin/blob/main/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java#L47

This change is consistent across java clients (gradle) and language clients (python)

---

Following this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a JIRA issue filed for the change (usually
  before you start working on it). Trivial changes like typos do not require a JIRA issue. Your pull request should
  address just this issue, without pulling in other changes.
• Each commit in the pull request should have a meaningful subject line and body.
• Format the pull request title like [MGPG-XXX] - Fixes bug in ApproximateQuantiles, where you replace MGPG-XXX
  with the appropriate JIRA issue. Best practice is to use the JIRA issue title in the pull request title and in the
  first line of the commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Run mvn clean verify to make sure basic checks pass. A more thorough check will be performed on your pull
  request automatically.
• You have run the integration tests successfully (mvn -Prun-its clean verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure please ask on the
developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under
  the Apache License Version 2.0, January 2004
• In any other case, please file
  an Apache Individual Contributor License Agreement.

[cstamas]

I would leave old and add sigstore.json as well

[loosebazooka]

I would leave old and add sigstore.json as well

That works, we just don't intend on making any new signatures using that extension. But I have no strong preference.

I'll update the PR

[cstamas]

Are any of the two maven sigstore plugins alive? Afair, they used ".sigstore" for extension...

[loosebazooka]

Both standalone plugin repositories are archived (1, 2), things were a little wild west at the beginning 🤷 . The "supported" plugin is integrated into the sigstore-java repository at https://github.com/sigstore/sigstore-java/tree/main/sigstore-maven-plugin. <-- this supersedes the code in https://github.com/sigstore/sigstore-maven-plugin (which is archived). The latest release at https://central.sonatype.com/artifact/dev.sigstore/sigstore-maven-plugin/0.11.0/versions

[loosebazooka]

@cstamas updated to re-include ".sigstore". I added a tracker to remove it in 6 months or so (sigstore/sigstore-java#759)

[loosebazooka]

This windows test just timing out?

[loosebazooka]

@cstamas any chance this could get another look?