prep 3.3.0

[facutuesca]

Release 3.3.0

cc @woodruffw

Changelog:

• CLI: The sigstore verify command now outputs the inner in-toto statement when verifying DSSE envelopes. If verification is successful, the output will be the inner in-toto statement. This allows the user to see the statement's predicate, which sigstore-python does not verify and should be verified by the user.
• CLI: The sigstore attest subcommand has been added. This command is similar to cosign attest in that it signs over an artifact and a predicate using a DSSE envelope. This commands requires the user to pass a path to the file containing the predicate, and the predicate type. Currently only the SLSA Provenance v0.2 and v1.0 types are supported.
• CLI: The sigstore verify command now supports verifying digests. This means that the user can now pass a digest like sha256:aaaa.... instead of the path to an artifact, and sigstore-python will verify it as if it was the artifact with that digest.

[di]

/gcbrun

[woodruffw]

Cut: https://github.com/sigstore/sigstore-python/releases/tag/v3.3.0