Finalize importable `sigstore` API

[tetsuo-cpp]

Once we've written the Fulcio and Rekor clients, we should be fill out the importable API. The API should roughly line up with the subcommands that cosign supports.

The CLI itself (which we'll implement in #3) will be a thin wrapper that wires the argparse flags to the API. So the meat of the CLI logic will be covered in this task.

I expect that we'll separate this into multiple issues when we begin working on it.

[tetsuo-cpp]

This is a great article that explains what cosign is doing under the hood: https://martinheinz.dev/blog/56

[di]

Changed this to 'finalize' instead of implement and moved it to the 1.0 milestone.

[woodruffw]

xref #250 for some changes that will happen to these APIs before stabilization.

[woodruffw]

For visibility: #299 is going to refactor the verification API per #250, which will get us much closer to a stabilize-able public API.

[woodruffw]

cc @mayaCostantini: the API in #299 isn't public yet, but it's much closer to what the final stable API will look like, if you'd like to experiment with it!

[mayaCostantini]

Thanks a lot @woodruffw !

[tetsuo-cpp]

I'm going to make a separate issue to begin generating API docs like we do for pip-audit.

[woodruffw]

@mayaCostantini we've just cut 0.10.0, which has the first official iteration of the stable API 🙂

The docs are here: https://sigstore.github.io/sigstore-python/

[mayaCostantini]

Amazing, thanks @woodruffw !

[woodruffw]

No problem! FYI there will be a handful of small changes before 1.0, but we'll make sure they're all tracked in the CHANGELOG.