Create subcommands to help people move to trusted roots and protobuf ("new") bundles

[steiza]

Description

We are working on adding support to cosign for trusted roots (#3700) and the protobuf bundle format (#3139).

For folks who have previously signed disparate content, it could be helpful to have a subcommand that helps them assemble it into a new protobuf bundle.

Likewise, for folks with a private Sigstore deployment, it might be helpful to provide a subcommand that takes disparate verification material and assembles a trusted root.

Here's an example of what those commands could look like:

cosign create-new-bundle

Assembles a protobuf ("new") bundle. Has flags similar to `verify-blob` and `verify-blob-attestation`. Includes whatever information is not empty strings.

    --bundle='':
	path to bundle FILE to output

    --certificate='':
	path to the public certificate. The certificate will be verified
	against the Fulcio roots.

    --rfc3161-timestamp='':
	path to RFC3161 timestamp FILE

    --sct='':
	path to a detached Signed Certificate Timestamp, formatted as a
	RFC6962 AddChainResponse struct. If a certificate contains an SCT,
	verification will check both the detached and embedded SCTs.

    --signature='':
	signature content or path or remote URL

cosign create-trusted-root

Defaults to output PGI trusted root, obtained via TUF. Has flags similar to `verify-blob` and `verify-blob-attestation`. Includes whatever information is not empty strings (e.g. if you don't want a timestamp authority in your trusted root, leave off `--timestamp-certificate-chain`). 

    --ca-intermediates='':
	path to a file of intermediate CA certificates in PEM format which
	will be needed when building the certificate chains for the signing
	certificate. The flag is optional and must be used together with
	--ca-roots, conflicts with --certificate-chain.

    --ca-roots='':
	path to a bundle file of CA certificates in PEM format which will be
	needed when building the certificate chains for the signing
	certificate. Conflicts with --certificate-chain.

    --certificate-chain='':
	path to a list of CA certificates in PEM format which will be needed
	when building the certificate chain for the signing certificate. Must
	start with the parent intermediate CA certificate of the signing
	certificate and end with the root certificate. Conflicts with
	--ca-roots and --ca-intermediates.

    --key='':
	path to the public key file, KMS URI or Kubernetes Secret

    --rekor-url='https://rekor.sigstore.dev':
	address of rekor STL server

    --timestamp-certificate-chain='':
	path to PEM-encoded certificate chain file for the RFC3161 timestamp
	authority. Must contain the root CA certificate. Optionally may
	contain intermediate CA certificates, and may contain the leaf TSA
	certificate if not present in the timestamp

    --trusted-root='':
	path to trusted root FILE to output

[steiza]

See #3794 (comment) instead