cosign copy should have an option to create a "copy attestation"

[znewman01]

A user in Slack has a use case that looks like the following:

1. There's an upstream image we depend on (alpine:latest) with no signatures.
2. We want to verify the images we use. Obviously if there's no upstream signatures, we can't use those.
3. So we want to sign the images when copying to a private repo to note "hey, I got this from hub.docker.com/alpine:latest at time T"

This used to be possible via:

cosign copy upstream:latest private-repo
cosign sign private-repo:latest

But now that we don't allow signing by tag (#2047) it's trickier, you need to:

DIGEST=$(crane resolve upstream:latest)
cosign copy upstream@$DIGEST private-repo
cosign sign private-repo@$DIGEST

This is a little safer in case "private-repo" is malicious.

But it's annoying to do. Also, semantically, the signature here means "I copied this." We could have the user cosign attach attestation instead that basically says "I copied this from : at time T". If this becomes a common pattern, we could build that into cosign copy!

(This hints at a general need for "common attestation patterns" with sugar support in Cosign.)