Migrate Cosign signing and verification to sigstore-go library #225
Description
We have implemented the functionality to sign and verify genval artifacts using Sigstore/cosign. At the time of implementation, this was the way as Sigstore had not released its library for these functionalities. This implementation works by calling Cosign's CLI commands for signing which imposes a dependency on users to have the Cosign CLI utility installed on their local systems. For verification of signatures, we use Sigstor's different packages like fulcio, rekor etc, which bloats the genval binary size.
Hence, it is proposed to migrate from the current implementation to use the new client library released by the Sigstore team — sigstore-go a minimal and friendly API for integrating Go code with Sigstore that is located at github.com/sigstore/sigstore-go