Allow recording attestations without derivation

[raboof]

Binary caches can contain objects that are 'directly' part of a build, instead of being the result of a derivation: an example is https://cache.nixos.org/h9lc1dpi14z7is86ffhl3ld569138595.narinfo

Since systems can have run-time dependencies on such objects, and in those cases those objects may be fetched from the binary cache, it seems helpful to be able to collect hashes for such objects, too. This means we should be able to store attestations that 'this output path has the following nar_hash' without a reference to a derivation - i.e. making the drv_id field of Attestation nullable and allowing this in the upload model as well.

[raboof]

On the other hand: it seems unlikely we'd ever fetch such an object from the cache, so perhaps it's fine to not record attestations for it?

[raboof]

Such objects are fetched from the cache, for example in case of --substitute-on-destination.

However, since they're constants, there is nothing to 'attest' about them. A consumer that doesn't trust the cache should not look for attestations, but instead check that the narhash of the contents is equal to the output hash.

In the https://cache.nixos.org/h9lc1dpi14z7is86ffhl3ld569138595.narinfo example above, given the downloaded audit-tmpdir.sh:

$ nix-hash --type sha256 /tmp/audit-tmpdir.sh 
b4c61d373db17ad0ec40ad45132df5dbaf94a9d901f1c5cde25fd981bbf7b66d
$ nix-hash --type sha256 --truncate --base32 --flat <(echo -n "source:sha256:b4c61d373db17ad0ec40ad45132df5dbaf94a9d901f1c5cde25fd981bbf7b66d:/nix/store:audit-tmpdir.sh")
h9lc1dpi14z7is86ffhl3ld569138595

... the fact that this returns h9lc1dpi14z7is86ffhl3ld569138595 means it's likely a legitimate payload for this output.

It does not make sense to record this information in lila, though, so this is not a reason to make the drv_id field of Attestation nullable.