Do not capture absolute paths in in-toto link metadata

[adityasaky]

Currently, when rebuilderd records an in-toto link after a successful rebuild, the absolute path of both the input and output packages are recorded. Typically, this looks something like /tmp/rebuilderd<build string>/{inputs,out}/<package file>. This should be replaced with just <package file>, enabling more straightforward artifact rules in in-toto layouts. Since rebuilderd is aware of the build location, it can pass this path to in-toto as a string to be left-stripped.

Related: https://github.com/in-toto/in-toto-rs/issues/12