adjust logging for extracting oci artifacts with cosign bits

[amartin120]

Please check below, if the PR fulfills these requirements:

• Commit(s) and code follow the repositories guidelines.
• Test(s) have been added or updated to support these change(s).
• Doc(s) have been added or updated to support these change(s).

Associated Links:

Types of Changes:

• bugfix

Proposed Changes:

hauler store extract walks every descriptor in the store's index whose reference contains the target repo prefix. Cosign sig/att/sbom/referrer descriptors share that prefix, so they get decoded as manifests and fed into the container-image heuristic (isContainerImageManifest), which trips on their config media type and produces:

WRN skipping [/sigs]: container images cannot be extracted (use hauler store copy to push to a registry)

That warning is both wrong (the artifact is a signature, not an image) and noise (signatures are registry-only metadata — not extractable by design, and not something the user asked for).

This change adds a kind-annotation early-return at the top of the extract walk callback, mirroring the existing pattern in cmd/hauler/cli/store/copy.go for directory targets. Sig/att/sbom/referrer descriptors are now skipped silently
(logged at debug level). The container images cannot be extracted warning is unchanged and still fires for legitimate container-image refs.

• cmd/hauler/cli/store/extract.go — skip descriptors whose kind annotation isdev.hauler/sigs, /atts, /sboms, or has the dev.hauler/referrers/ prefix, before the container-image heuristic runs.

Verification/Testing of Changes:

• Before:

$ hauler store extract registry.ranchercarbide.dev/carbide/harvester/harvester-v1.7.1-govt.2-amd64.iso:v1.7.1-govt.2
2026-04-22 10:35:54 WRN skipping [carbide/harvester/harvester-v1.7.1-govt.2-amd64.iso:v1.7.1-govt.2-dev.hauler/sigs]: container images cannot be extracted (use `hauler store copy` to push to a registry)

• After:

$ hauler store extract registry.ranchercarbide.dev/carbide/harvester/harvester-v1.7.1-govt.2-amd64.iso:v1.7.1-govt.2                                                                                                                                             
2026-04-22 09:48:59 INF extracted [application/vnd.oci.image.manifest.v1+json] from store with digest [sha256:15aea92e9496f54a8f9c068d0796ef0480414f5a1795de0efc46b10d17cbab48]

• After (with debug logging):

hauler store extract registry.ranchercarbide.dev/carbide/harvester/harvester-v1.7.1-govt.2-amd64.iso:v1.7.1-govt.2 -l debug 
2026-04-22 09:49:30 INF extracted [application/vnd.oci.image.manifest.v1+json] from store with digest [sha256:15aea92e9496f54a8f9c068d0796ef0480414f5a1795de0efc46b10d17cbab48]
2026-04-22 09:49:30 DBG skipping cosign artifact [carbide/harvester/harvester-v1.7.1-govt.2-amd64.iso:v1.7.1-govt.2-dev.hauler/sigs] for extract

Additional Context:

[zackbradys]

/cherrypick-2.0

[github-actions]

🏷️ Labeled cherrypick/2.0 — backport to release/2.0 will be created automatically when this PR is merged.