fix: Fulcio client id flag interpreted as OIDC issuer

[alexashley]

I attempted to use witness with the Sigstore staging Fulcio and ran into an issue where the client id flag was being used as the OIDC issuer:

$ ./bin/witness run -a git -o att.json --fulcio https://fulcio.sigstage.dev --fulcio-oidc-issuer https://oauth2.sigstage.dev/auth --fulcio-oidc-client-id sigstore -s example

ERROR   failed to create signer from Fulcio: Get "sigstore/.well-known/openid-configuration": unsupported protocol scheme ""
ERROR   failed to load signers

The type signature of the function in go-witness has the issuer after the Fulcio URL, but witness is passing the client id instead.

func Signer(ctx context.Context, fulcioURL string, oidcIssuer string, oidcClientID string, tokenOption string) (cryptoutil.Signer, error)

After swapping the order, I was able to sign an attestation with that same command.

This example references the out of order flags.

[colek42]

Thank you!

[colek42]

@alexashley I am going to update this with some fixes for the CI. Thank you for the contribution!

[mikhailswift]

@alexashley thanks so much for this contribution. We've recently reworked how the CLI flags are created and settings are passed in, which fixed this inadvertently.

We really appreciate you contributing and finding this!