[Bug]: DSSE payload not verified against the agent card

### What happened?

After `verifier.verify_dsse(sig_bundle, policy)`, the returned subject and payload, values are discarded.

The signed in-toto statement contains the agent card data as its predicate.
By not comparing it to the agent card in the `SignedAgentCard`, an attacker could swap the agent card content while keeping a valid Sigstore bundle from a different signing operation.
This tampers with the overall integrity of a `signed-agent-card` where in the contents under `attestations` could be a completely different but valid signature and the contents under `agentCard` could be different.

### Relevant log output

```shell

```

### Code of Conduct

- [x] I agree to follow this project's Code of Conduct

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: DSSE payload not verified against the agent card #49

What happened?

Relevant log output

Code of Conduct

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug]: DSSE payload not verified against the agent card #49

Description

What happened?

Relevant log output

Code of Conduct

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions