Add support for verifying digests to CLI verify commands

[facutuesca]

Summary

This PR changes the sigstore verify CLI command so that it accepts digests as inputs (in addition to files). Concretely:

# Before
sigstore verify identity ..... path/to/artifact.zip  # can only verify an artifact

# After
sigstore verify identity ..... path/to/artifact.zip  # can verify an artifact
sigstore verify identity ... --bundle b.sigstore.json sha256:aaabbbb.....  # can also verify an artifact's digest

This is useful in scenarios where the user doesn't want/need to download the artifact, but has access to its digest.

Related to https://github.com/sigstore/sigstore-conformance/issues/157

Release Note

• CLI: The sigstore verify command now supports verifying digests. This means that the user can now pass a digest like sha256:aaaa.... instead of the path to an artifact, and sigstore-python will verify it as if it was the artifact with that digest.

Documentation

Example added to the README

cc @woodruffw

[woodruffw]

/gcbrun

[di]

/gcbrun

[jku]

/gcbrun

[woodruffw]

/gcbrun