Ralph Bean

I'm not sure how the test coverage drop is possible. I added tests to cover the new branches.

Note - I think I remember hearing some talk years ago about deprecating the pattern where multiple attestations were written to the same image manifest (kind of like the OCI...

An end-user definitely could just wrap `cosign verify-blob-attestation` in a little loop. In the end, I think it's about convenience and what kind of pattern the tooling encourages. Do we...

I suppose its also about consistency. If verify-attestation operates on the list of attestations discovered by the OCI referrer's API, then arguably verify-blob-attestation should operate on a list of attestations...