Reduce dependencies

[haydentherapper]

Description

Tracking issue to coordinate on reducing the number of dependencies in the library.

A few thoughts so far:

• Pulling in Rekor pulls in KMS dependencies. We should look into refactoring upstream to move signing with KMS into its own package.
• Sigstore's timestamp authority pulls in a bunch of dependencies too, while we only need verification. We can either copy code in or refactor upstream.
• JSON libraries are pulling in mongodb for testing. Fixing this upstream is likely to be difficult though.

[steiza]

I did some research today, motivated by wondering if Go's linker could detect code from included libraries that's not actually called.

It turns out the linker does have deadcode detection, but there are common patterns in popular libraries that cause deadcode detection to be disabled for many cases (see also https://github.com/golang/go/issues/14840).

This is something that would be great for the greater Go ecosystem to fix, but is probably outside the scope of sigstore-go specifically.