developer experience could be better

[jku]

It's kind of hard to test out conformance or to start developing it further, especially without a bunch of Python experience. I think we should make it easier to get from "git clone" to "first successful test suite run"

Some specific points of friction:

• virtual env in Makefile is not mentioned in README
• It's not clear that I need to install sigstore-python to test the test suite locally.
• is there a reason for --entrypoint to require an absolute path?
• figuring out the correct xfail incantation on CLI requires quite a bit of investigation

Potential quick fixes:

• Mention make dev and source env/bin/activate in Development section of README
• add sigstore into dev-requirements.txt: this would mean workflows/ci.yml ends up installing sigstore without needing it but maybe that's fine

• Add an example call like this into the README:

  GHA_SIGSTORE_CONFORMANCE_XFAIL="test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" \
      pytest test --skip-signing --entrypoint=$PWD/sigstore-python-conformance
  

  cc @javanlacerda

[woodruffw]

100% agreed with all of this, thank you for filing @jku!