CLI: stop emitting `.sig` and `.crt` signing outputs

[tnytown]

We should eventually (in the next major version?) output only the .sigstore bundle as a signing artifact. Before that, we may want to consider adding a --bundle-only option, complementary to --no-bundle, that emulates this behavior.

Follow-up to #465.

[woodruffw]

Strongly agreed! Let's do this with a 2.0.0 release, since it'll be a breaking change.