enable to get signature and provenance from a resource in a cluster

Signed-off-by: Hirokuni-Kitahara1 hirokuni.kitahara1@ibm.com

enable to get signature from a configmap in a cluster instead of OCI registry or resource annotation
enable to get provenance from a configmap instead of rekor server for attestation / OCI registry for SBOM
enable to specify a configmap for the above with --manifest-bundle-resource option

the command and its output will be like this

$ kubectl sigstore verify-resource deploy -n sample-ns sample-app  --manifest-bundle-resource sample-bundle-cm --provenance

[SUMMARY]
TOTAL   VALID   INVALID
1       1       0

[MANIFESTS]
NAME                                                SIGNED   SIGNER   ATTESTATION   SBOM
k8s://ConfigMap/manifest-bundles/sample-bundle-cm   true     N/A      found

...

[PROVENANCES - ATTESTATIONS]
ARTIFACT                 manifest.yaml
MATERIALS 1   URI        https://github.com/sample/repository.git
              REVISION   main
              COMMIT     bcea6772ff35dc3004d84f6474c02315e5d8141c
To get this attestation: kubectl get ConfigMap -n manifest-bundles sample-bundle-cm -o=jsonpath='{.data.attestation}'

sigstore / k8s-manifest-sigstore

enable to get signature and provenance from a resource in a cluster #33