verify-blob-attestation: Loosen arg requirements if --check-claims=false

[wlynch]

Summary

1. Update --check-claims documentation to better describe the behavior of the flag.
2. Modify verify-blob-attestation to not require a blob argument if --check-claims=false. This file is not used if we're not checking claims - it can be set to anything and still pass.

See https://sigstore.slack.com/archives/C01PZKDL4DP/p1677006107531799 for more discussion.

Release Note

• verify-blob-attestation will now accept 0 arguments if --check-claims=false is set.

Documentation

✅

[wlynch]

CC @priyawadhwa @asraa

[codecov]

Codecov Report

Merging #2746 (feb6305) into main (79f08c3) will increase coverage by 0.50%.
The diff coverage is 44.44%.

@@            Coverage Diff             @@
##             main    #2746      +/-   ##
==========================================
+ Coverage   29.03%   29.54%   +0.50%     
==========================================
  Files         151      151              
  Lines        9642     9646       +4     
==========================================
+ Hits         2800     2850      +50     
+ Misses       6422     6357      -65     
- Partials      420      439      +19     

Impacted Files	Coverage Δ
cmd/cosign/cli/options/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob_attestation.go	33.17% <66.66%> (-0.31%)	⬇️
pkg/blob/load.go	72.50% <0.00%> (+5.00%)	⬆️
pkg/oci/layout/index.go	28.57% <0.00%> (+28.57%)	⬆️
pkg/oci/layout/write.go	37.50% <0.00%> (+37.50%)	⬆️
pkg/oci/layout/signatures.go	53.84% <0.00%> (+53.84%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[hectorj2f]

lgtm