SigstoreSigner: define URI and some import functionality

[jku]

NOTE: SigstoreSigner is unstable and will likely stay that way for a bit.... It's already very interesting though so would be nice to to start implementing the quality of life improvements:

• signer should define a private key URI. As far as I can tell it should only encode whether the signing should use ambient credentials or not -- other suggestions are welcome though. So maybe just sigstore:?ambient=true or sigstore:?ambient=false
• from_priv_key_uri() would either use detect_credentials() or issuer.identity_token() based on ambient value
• the generic import method would take identity, issuer and ambient as arguments and return a public key (with a generated keyid) and URI

Further improvements:

• later down the line we may want to provided more specific helpers like e.g. import_github_action() that could take repository, workflow and branch name instead (because constructing the identity string is a bit complex)
• signing really should be able to choose the identity and issuer -- user should not be able to choose GitHub as the issuer if we know we want issuer to be Google: user should only decide to authenticate or not.

[lukpueh]

Mostly addressed by #535. Further improvements ticketized in #536 and #537