cosign digest subcommand to resolve tag to digest

[seankhliao]

Description

A cosign digest $artifact-reference subcommand that can resolve an image tag to the digest.

Why

Signing (or any other operation) by tag is generally discouraged (ref #2047), as tags can be mutable and change between two different steps in a workflow (eg publish and sign).

In most cases, users should try and get an image digest from a previous step, eg directly from the output of their build tool.

However, there are situations where there is no previous stage that can produce an image digest, and we'd like to resolve a tag to a digest, and only use the digest going forward in a workflow.
Example: check if there's a signed copy of in image in a private mirror. If not, run processes to generate trust on the image (scanners), and push the signed result into the private mirror for use.

There are other tools that can do this, eg crane digest, but installing an extra tool that isn't otherwise needed seems wasteful.
cosign already partially does this with cosign triangulate (the digest is used as the tag for the signature) and some massaging of the output can turn it into the digest, but it would be nice to to have to do that:

$ cosign triangulate $image | tr ':-' '@:' | sed 's/\.sig$//'

Slack thread

[VenutNSA]

Hello!
We and a few other teams have come across the need to use this function