Support for OCI

[laurentsimon]

The generic provenance will let users add provenance to their container images.

We need an option --oci-path (or something to this effect) to support it.

We can start simple by only accepting path like _some_registry_@sha256:xxx. This will force users to download their containers first, and then call the verifier. This avoids the TOCTOU/racing condition.

Next phase is to accept _some_registry_:_tag_. For this, we'll need to output the resulting _some_registry_@sha256:xxx for users to pipe into docker pull or docker install.

We'll need to make sure this plays nicely with the print-provenance option

/cc @asraa @ianlewis