Add test for sigstore-rs

[jku]

There's a few reasons why sigstore-rs is not yet tested (is experimental, does not support staging, does not support configuring TUF urls, the "bundle" example that we could use has not been released yet) but we keep breaking sigstore-rs (#1431) so we should still do it.

I will push a draft PR. It's a little tricky to test right now.

[jku]

An attempt was made but:

• sigstore-rs does not support signing in GitHub Actions so we need to test verify only and use a bundle made by another client
• There is a signature bundle available for this purpose. It's produced by sigstore-python so is bundle v0.3: sigstore-rs only supports <=0.2

so a sigstore-rs test is not currently included.

Either sigstore-rs needs to support bundle v0.3 (or GHA signing) or we need some changes in our testing infra