feat: add signing certificate to envelope

[asraa]

Signed-off-by: Asra Ali asraa@google.com

Adds a PEM-encoded certificate to the DSSE envelope's signatures. Testing was done to ensure

1. We can add and retrieve the signing cert (the verifier will need the retrieval)
2. Rekor's intoto entry can validate this "slightly off-spec" envelope.

e2e test using this generator code and my verifier PR: https://github.com/asraa/slsa-on-github-test/actions/runs/2516202385

$ go run . -artifact-path ~/Downloads/binary-linux-amd64 -provenance ~/Downloads/binary-linux-amd64.intoto.jsonl -source github.com/asraa/slsa-on-github-test
Verified signature against tlog entry index 2694513 at URL: https://rekor.sigstore.dev/api/v1/log/entries/bf2882983fc8b0652902eab8500b540e1bb2530f91c004a7d6f0c204d703ded7
Signing certificate information:
 {
	"caller": "asraa/slsa-on-github-test",
	"commit": "e8c34fe013f732e9beb61a94b4667e1d30cde82e",
	"job_workflow_ref": "/asraa/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/heads/add-cert-to-envelope",
	"trigger": "workflow_dispatch",
	"issuer": "https://token.actions.githubusercontent.com"
}
FAILED: SLSA verification failed: untrusted reusable workflow: asraa/slsa-github-generator/.github/workflows/builder_go_slsa3.yml
exit status 2

[laurentsimon]

Thanks. Maybe add a test to verify it works as expected

[ianlewis]

+1 for adding a test

[asraa]

Thanks! I'll work on adding a test tomorrow morning, for now I have been able to "retroactively verify" the v1.1.0 release by manually constructing the correct envelope (inserted certPEM) with the code in: slsa-framework/slsa-verifier#97

now to test e2e and add testing (and remove duped code)

[asraa]

Added envelope tests! See PR description.