CLI: Verification should support complex policies via a policy file input

[woodruffw]

This issue has a few blockers, including coordination with the broader Sigstore community on a machine-readable policy format.

Key components:

• The sigstore verify subcommands should take a --policy <FILE> or similar option, which would read in the policy file to use during verification.
• ...or there would be a separate sigstore verify policy subcommand, since sigstore verify identity and sigstore verify github already imply basic policies.

CC @di for visibility.

[haydentherapper]

Would it be worthwhile creating a verification policy in protobuf-specs? We can start relatively barebones, something like:

• List of tuple of (identity, issuer)
• Issuer could have aliases for common issuers
• Syntax for CI identities, pulling from Sugar for common GitHub Actions (and other CI/CD workflows) cosign#2691
• No regular expressions would be my preference

[haydentherapper]

cc @jku