Use the Python bindings for in-toto/attestation

[behnazh-w]

We could possibly use the in-toto-attestation package that contains Python bindings for in-toto/attestation to validate the schema.

[benmss]

I looked into the library and feel that it is not suitable for our use case. The library exists to properly validate an artifact's provenance, rather than to verify the validity of a given provenance file. From the website for the most relevant method:

Performs complete in-toto supply chain verification for a final product. (Source)