Support generating offline Rekor bundles

[di]

Description

Similar to cosign's --bundle flag, we should support generating offline Rekor bundles as well:

E.g. from cosign:

--bundle string         write everything required to verify the blob to a FILE

This is likely a logical first step before #52.

[asraa]

Just adding some context or comments or lessons learned from cosign:

There's a proposal for a more specified bundle: sigstore/cosign#2131. Depending on your timeline of course, you may just want to use a basic copy of the Rekor bundle, without relying on this issues resolution.

Note that the cosign current --bundle output has something of the format:

{
  "base64Signature": "...",
  "cert": "...",
  "rekorBundle": { ... }
}

When using the cosign CLI, it's hairy to use the base64Signature in favor of the signature potentially given in the CLI argument --signature. Likewise, definitely use diligence to make sure that rekorBundle actually applies to the artifact that it's intended to verify!