`verify-blob-attestation` assumes artifact is hashed with SHA256

[steiza]

Description

npm bundles hash with SHA512:

$ curl https://registry.npmjs.org/semver/-/semver-7.6.3.tgz > semver-7.6.3.tgz
$ curl https://registry.npmjs.org/-/npm/v1/attestations/semver@7.6.3 | jq '.attestations[]|select(.predicateType=="https://slsa.dev/provenance/v1").bundle' > npm-provenance.sigstore.json
$ cosign verify-blob-attestation --bundle npm-provenance.sigstore.json --certificate-oidc-issuer="https://token.actions.githubusercontent.com" --certificate-identity-regexp="^https://github.com/npm/node-semver/.github/workflows/release-integration.yml.?" semver-7.6.3.tgz
Error: failed to verify signature: provided artifact digests does not match digests in statement
error during command execution: failed to verify signature: provided artifact digests does not match digests in statement

See https://github.com/sigstore/cosign/blame/a6bd85fc8fdb321f50efac4cb3b7aa37e88b91a7/cmd/cosign/cli/verify/verify_blob_attestation.go#L171

Version

Head of main

[Hayden-IO]

We could allow --digest-alg to override this default? Either you provide the digest + digest alg, or you provide the artifact path and optionally the digest alg.