feat: fixes #547: add npm sigstore-tuf suport

[ramonpetgrave64]

Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547

• [x] Pending: https://github.com/sigstore/sigstore-go/pull/41 Uses the new sigstore-go@0.2.0

Currently slsa-verifier has npmjs' attestation key hardcoded. But sigstore now stores the same key within their own TUF root.

This PR

• dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid.
• uses an updated (pending) sigstore-go library that allows us to fetch a signed and verified copy of the same key.

[ramonpetgrave64]

@laurentsimon please take a look

[ramonpetgrave64]

I've updated the PR to dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid.

[laurentsimon]

@ramonpetgrave64 feel free to merge after addressing the few nits. Please create a tracking issue for the TUF verification discussed in https://github.com/slsa-framework/slsa-verifier/pull/731#discussion_r1560402195. Thanks for the PR!