This fixes a small edge case where a user supplies sha256:hash.jsonl or similar (such as produced by default by gh attestation) and the sigstore verify subcommands interpret it as an (invalid) hash rather than a file input.
The new behavior is to always interpret the input as a path if a file at that path is extant, and to otherwise interpret it as a hash.
This fixes a small edge case where a user supplies
sha256:hash.jsonlor similar (such as produced by default bygh attestation) and thesigstore verifysubcommands interpret it as an (invalid) hash rather than a file input.The new behavior is to always interpret the input as a path if a file at that path is extant, and to otherwise interpret it as a hash.
CC @facutuesca