[intoto] Support intoto v0.0.2 type in rekor for upload and verification

[asraa]

Description

This type allows full verification of the intoto entry. See sigstore/rekor#973

We can migrate upload support to v0.0.2 and continue supporting v0.0.1 for verification. I can stage the PR for whenever Rekor server is deployed with v0.0.2 support.

[haydentherapper]

We pushed the new release of Rekor to staging and ran into this. This is a blocker for releasing the new Rekor since we no longer allow the upload of 0.0.1 intoto entries, unless we want to ease that restriction.

@bobcallaway

[asraa]

This is a blocker for releasing the new Rekor since we no longer allow the upload of 0.0.1 intoto entries, unless we want to ease that restriction.

What about old clients using old cosign versions? (or sigstore-python/npm etc)

[haydentherapper]

This is likely an issue. Clients will need to update, so we will need to give them the time to do so. I think we should relax the restriction for now so we can unblock Rekor updates.

[haydentherapper]

No longer needed, as we use the DSSE type now.