Add org.opencontainers.image.title annotation to attestation layers

[ralphbean]

Summary

This adds the org.opencontainers.image.title annotation to layer descriptors in attestation manifests to enable tools like 'oras pull' to download attestation bundles with collision-free filenames.

The annotation format is {algorithm}-{hex}.sigstore.json where the hyphen separator ensures cross-platform filename compatibility, particularly for Windows which forbids colons in filenames.

Changes:

• Add Annotations field to layer descriptors in WriteReferrer
• Update tests to verify annotation is set correctly
• Document the optional layer annotation in BUNDLE_SPEC.md

Fixes #4497

🤖 Generated with Claude Code

Release Note

Added org.opencontainers.image.title annotation to attestation layers, enabling oras pull to save bundles locally.

Documentation

I don't believe that a documentation update beyond the update to the bundle spec here is required.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.76%. Comparing base (2ef6022) to head (b7fc7d9).
⚠️ Report is 569 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4498      +/-   ##
==========================================
- Coverage   40.10%   36.76%   -3.35%     
==========================================
  Files         155      220      +65     
  Lines       10044    12119    +2075     
==========================================
+ Hits         4028     4455     +427     
- Misses       5530     6976    +1446     
- Partials      486      688     +202     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.