Integrate cosign provenance attachment to Docker

[marcofranssen]

Currently we are using the cosign cli to attach the provenance file to a Docker image.

Investigate if we can use https://github.com/sigstore/cosign/tree/bad18e5cb25f2cb86301d248e7e4ed39d49df143/pkg/cosign as a library to natively integrate this step in slsa-provenance.

[developer-guy]

I can take care of that one @marcofranssen if you want 🙋🏻‍♂️

[marcofranssen]

👋 @developer-guy I'm OK with that. Just know we are currently also looking for a solution for registry authentication.

See #130 (comment).