[feature] Simplify GCB verification

[laurentsimon]

I'm wondering if we should simplify verification to take as input the intoto file:

gcloud artifacts docker images describe $IMMUTABLE_IMAGE --format json --show-provenance | jq -r '.provenance_summary.provenance[0].envelope'

This would simplify support for other artifact types, since there are image-specific fields (e.g., image_summary) in the current result we process. Intoto-only support would not need to be aware of these fields. It would also reduce complexity around the verification we do to verify other fields.

This would also remove the requirement on which gcloud API is used to download the provenance. Right now we are dependent on this API. Maven and Python packages don't have a similar API, and when they add it the content might differ slightly.

Thoughts?

[laurentsimon]

I think the broader discussion here is to decide the interface we should use in general. The same question will come up for npm, for example. The attestations argument is also the result of the API call. Maybe the API is the right level of abstraction, since it simplifies user's experience...