Policy: add provenance fields #3639
Description
Currently policy only supports hasProvenance bool and the signature fields. Should also expose meaningful fields from the provenance attestation directly.
The initial use case would be to check that the build was hermetic and had all the required materials.
This can also be used for extra conditions on the individual materials. E.g., conditions on the Git repo that was the source for the build. In the future, we could even do some kind of recursive verification, so verify the artifact and also verify the materials against the policy.
This requires buildkit update to expose provenance via metadata query.