Print in-toto statement when verifying DSSE

[facutuesca]

Summary

Part of https://github.com/sigstore/sigstore-python/issues/1111. This changes the sigstore verify CLI command so that when verifying a bundle containing a DSSE envelope, if verification succeeds the inner in-toto statement is printed to the user.

$ sigstore verify identity README.md --cert-identity me@example.com --cert-oidc-issuer https://issuer.example.com
OK: README.md
{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"README.md","digest":{"sha256":"033be49064ed2a5f50bf81950f38741a8c550bc8076447452152c7b9d28728bc"}}],"predicateType":"slsaprovenance0_2","predicate":{"builder":{"id":"https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0"},"build_type":"https://github.com/slsa-framework/slsa-github-generator/generic@v1","invocation":{"config_source":{"uri":"git+https://gi.....
....

This is done because sigstore-python only verifies the subjects of the DSSE envelope match the artifacts being verified, it does not do any verification on the predicate of the statement. This should be done by the user, which is why we print the statement after verification succeeds, so that the user has easy access to it.

Release Note

• CLI: The sigstore verify command now outputs the inner in-toto statement when verifying DSSE envelopes. If verification is successful, the output will be "OK: $FILENAME" followed by the inner in-toto statement. This allows the user to see the statement's predicate, which sigstore-python does not verify and should be verified by the user.

cc @woodruffw

[woodruffw]

Thanks @facutuesca, looks good! Just a few small comments.

[woodruffw]

/gcbrun