Figure out what to do with in-toto statements for `cosign attest`

[steiza]

Description

We want cosign to get out of the business of creating in-toto statements and have the user supply an entire in-toto statement to cosign. Then we don't have to keep track of updates to in-toto (see for example #4238).

#4306 adds in-toto statement support to attest-blob and verify-blob-attestation, which people often use with files on disk. However, container images are a bit less straightforward, as the subject is often the container image manifest, and what would we do if the supplied in-toto statement had a different subject? See the discussion on #4032.