Externalize API or library for writing/parsing Sigstore bundles

[di]

Description

Currently this project publicly provides models.Bundle which supports to_json and from_json, but does not expose a lower-level API to create/modify specific fields of the Sigstore bundle, read/write the bundle to/from a file, etc. This makes it challenging to use the Sigstore bundle format from within other Python libraries/applications, including use cases that include non-signing bundle operations, PKI based signing, etc.

Desired outcome

Either:

• expand the public API of sigstore-python to include a lower-level API to create/modify a Sigstore bundle
• break out the relevant functionality into a separate sigstore-bundle library with a public API that this project can consume as a sub-dependency

(cc @haydentherapper @mihaimaruseac @woodruffw)

[woodruffw]

I'm a big fan of this idea! My personal preference is for option 2: IMO it'd be ideal to have this in a sigstore-models (or similar) library that both sigstore-python and anything else that needs direct model access at the API level can use.

Having it be in a separate library also aligns closely with #1049 -- a "pure" models API could be done with just pydantic, which would both make the models API more Pythonic and eliminate a complexifying dependency (betterproto) of ours.