adds tsa cert chain check for env var or tuf targets.

[ianhundere]

closes #3563

Summary

Creates parity between Cosign / TSA (e.g. TSA values are handled similarly to ctlog, fulcio, and rekor creds now) since sigstore/sigstore TUF client was recently updated to support the "TSA" usage type.

Currently, the TSA cert chain is required via Cosign's cli flag, though, as per https://github.com/sigstore/cosign/issues/3563, Cosign can support reading the cert chain from either an environment or the TUF targets, similar to Fulcio certs, Rekor keys or the CTLog public key that can be provided on verification. I looked at RekorPubKeys and GetCTLogPubs as an example.

Release Note

• Checks for TSA cert-chain in environment variable, SIGSTORE_TSA_CERTIFICATE_FILE, and TUF targets

Documentation