refactor bundle validation code, add support for DSSE rekor type

[bobcallaway]

Summary

This refactors the bundle verification code to only parse entry JSON once, and use reflection to determine the appropriate way to extract the Rekor-type specific information.

Also adds support for the newly added DSSE type in Rekor (currently only deployed to staging, not production). I will propose a new PR to switch over the default behavior to use dsse instead of intoto Rekor type once this goes live into production.

Release Note

NONE

Documentation

[codecov]

Codecov Report

Merging #3016 (eb62e59) into main (80c0f88) will decrease coverage by 0.07%.
The diff coverage is 21.91%.

@@            Coverage Diff             @@
##             main    #3016      +/-   ##
==========================================
- Coverage   31.06%   31.00%   -0.07%     
==========================================
  Files         155      155              
  Lines        9744     9712      -32     
==========================================
- Hits         3027     3011      -16     
+ Misses       6255     6250       -5     
+ Partials      462      451      -11     

Impacted Files	Coverage Δ
pkg/cosign/tlog.go	37.13% <0.00%> (-2.07%)	⬇️
pkg/cosign/verify.go	37.51% <29.09%> (+0.28%)	⬆️

[haydentherapper]

What about intoto types? I see we didn't try to extract signatures previously, but isn't that a gap?

[bobcallaway]

in compareSigs if an actual attestation is stored in OCI, the signature from the DSSE envelope is not stored as a separate file (as it would be with other types) so the verification is done elsewhere.

[cpanato]

needs rebase

[haydentherapper]

LGTM to me, just one comment on a test. @bobcallaway do you want to also update this PR to switch the default type to dsse too since the Rekor update is now in prod?

[haydentherapper]

@bobcallaway is this ready to go?

[cpanato]

@haydentherapper @bobcallaway, after this can we cut a release?

[hectorj2f]

lgtm

[cpanato]

@bobcallaway need rebase