verify cosign attestations.

[colek42]

Witness should be able to verify and create policy on cosign sigs

[developer-guy]

I'd love to investigate this ☝️

/cc @mikhailswift

[colek42]

@developer-guy we really need to map out the problem set for this. If you are still interested it may be best to jump on a quick call.

[colek42]

This involves supporting the sigstore bundle as an envelope type: https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto and integration with OCI.