Change the verify attestation implementation

[dlorenc]

Right now when using the verify-attestation command, only the predicate is passed to the verification policy. This is nice, but has a few issues:

• It loses the predicate type itself. This is in the attestation header, but could be useful in policy.
• It makes the commands hard to use separately cosign verify-attestation with just a key will output the full attestation to stdout. This should be usable directly with "cue vet" and the same policy.

[dlorenc]

Cc @developer-guy @Dentrax what do you think?

[Dentrax]

IIUC, we are currently unmarshal ing the predicate body to pass into validation steps, which we do not check the attestation header in current implementation. What we want to here is to validate the entire attestation in policy validation step?

[developer-guy]

Yes, @dlorenc, it makes sense. Actually, in the beginning, we (w/@Dentrax) were aware of that, but we didn't think that this header might be a valuable thing to validate, so we didn't care about it much. Okay, then, we can pass the Attestation as a whole (body + header) to the validation steps and revise the logic according to that. Is it okay for you, too, @dlorenc? 😋

[dlorenc]

Yeah! I think that would be good. I went back and forth on this one too but I think being able to pass the entire thing directly into "cue vet" is the big win.