Enable fetching signatures without remote get.

[janisz]

Summary
When using cosign as a dependency and attempting to fetch signatures for a specific signed entity, the signed entity is always fetched from the registry.

In case the signed entity has been fetched previously, it'd be nice to introduce a function similar to the FetchAttestations that allows to fetch signatures from the signed entity directly, without reaching out to the registry to fetch the signed entity beforehand.

With the current changes in the PR, the error will now not include the reference anymore. However, the changes were also made to FetchAttestations in the same way.
If we want to include this information, we may wrap the returned error from FetchAttestations/FetchSignatures with the reference, so the content of the error will stay the same.

Release Note
NONE

Refs:

• Allow to fetch signatures by signed entity. #3007

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 9 lines in your changes missing coverage. Please review.

Project coverage is 36.51%. Comparing base (8714480) to head (4580e7b).
Report is 707 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/fetch.go	0.00%	9 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4047      +/-   ##
==========================================
+ Coverage   30.33%   36.51%   +6.18%     
==========================================
  Files         151      209      +58     
  Lines        9439    13357    +3918     
==========================================
+ Hits         2863     4877    +2014     
- Misses       6134     7859    +1725     
- Partials      442      621     +179     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.