Add `sigstore attest` CLI subcommand to sign using DSSE envelopes

[facutuesca]

Summary

Part of https://github.com/sigstore/sigstore-python/issues/1111. Adds a sigstore attest CLI subcommand to sign using DSSE. The command is very similar to sigstore sign, but it takes two new options:

• predicate-type: One of [ https://slsa.dev/provenance/v0.2, https://slsa.dev/provenance/v1 ]. The predicate type for the in-toto statement being signed over.
• predicate: The path to the file containing the predicate JSON. The predicate's contents must match the predicate type specified in predicate-type.

sigstore attest --predicate-type https://slsa.dev/provenance/v0.2 --predicate ./path/to/predicate.json  FILE

Since the logic for both sigstore sign and sigstore attest is mostly the same, this PR extracts that shared logic into a separate function _sign_common(), which is then called by _sign() and _attest() in order to not duplicate that logic.

In order to test it, I have uploaded a SLSA v0.2 provenance predicate here, originally generated by GitHub for this sigstore-python release. Once downloaded, it can be used to sign over a file with the following command:

sigstore attest --predicate-type https://slsa.dev/provenance/v0.2 --predicate ./path/to/predicate.json  FILE

Release Note

• CLI: The sigstore attest subcommand has been added. This command is similar to cosign attest in that it signs over an artifact and a predicate using a DSSE envelope. This commands requires the user to pass a path to the file containing the predicate, and the predicate type. Currently only the SLSA Provenance v0.2 and v1.0 types are supported.

Documentation

Updated the README

cc @woodruffw

[woodruffw]

/gcbrun

[woodruffw]

/gcbrun

[woodruffw]

/gcbrun

[woodruffw]

/gcbrun

[woodruffw]

/gcbrun