fix: aggregate per-artifact signing failures so signed annotation is not set

[SAY-5]

Changes

Per-artifact CreatePayload, payload marshalling and SignMessage failures in ObjectSigner.Sign() were only logged and continued without contributing to merr. When every per-artifact operation failed this way, merr stayed nil, so MarkSigned set chains.tekton.dev/signed=true even though nothing was signed, permanently suppressing retries. These three paths now append to merr exactly like the storage-failure path a few lines below already does.

No new unit test is included: the change is the same multierror.Append(merr, ...) pattern already used for storage failures in the same loop, and exercising the payload/marshal/sign failure branches in isolation would require stubbing out the real formatter and x509 signer used by TestSigner_Sign.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs included if any changes are user facing
• Has Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Fix Chains marking a TaskRun/PipelineRun as signed when all per-artifact payload creation, marshalling or signing operations failed.

Closes #1663

[linux-foundation-easycla]

• ❌ - login: @SAY-5 / name: Sai Asish Y. The commit (9f744fe) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign wlynch after the PR has been reviewed.
You can assign the PR to them by writing /assign @wlynch in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[infernus01]

Thanks @SAY-5 for the PR. You'd need to sign CLA please check the link in the CI checks below.