For now, I've copied some DSSE code from go-sslib but I suspect (99%) we don't need it and can just implement a temporary sigstore verifier and pass that to go-sslib. Note that the verifier currently uses gitsign endpoints, I need to dive in and check what's actually gitsign specific. I'm starting here because this is what I've previously written for gittuf.
For now, I've copied some DSSE code from go-sslib but I suspect (99%) we don't need it and can just implement a temporary sigstore verifier and pass that to go-sslib. Note that the verifier currently uses gitsign endpoints, I need to dive in and check what's actually gitsign specific. I'm starting here because this is what I've previously written for gittuf.