Support for OCI artifacts with refers

[jedevc]

We should add support for finding SBOMs/Provenance through OCI artifacts with the new distribution-spec referral API.

This will help ensure that we can provide as rich metadata as possible to users, even if they're not using BuildKit attestations (though ofc, we'll only be able to give the best results for that case). Also, if BuildKit ever supports generating OCI artifacts with this API, we'll need to support it in this library as well.

[tonistiigi]

Maybe I'm missing something but I don't understand how refers API can provide that info. When we have reproducible builds you will have a list of SBOMs and Provenance attestations for every build invocation. How could you determine which ones were actually correct. We have already seen this live with distroless images having 30+ signatures because of the same issue. With SBOMs you could at least assume that if you merge all the attestations together with some semantics the result could be somewhat correct(how you handle the SBOMs from different scanpoints, different scanners, scanner updates, different formats etc is all undefined of course), so it just becomes a performance bottleneck and accessing your images gets slower on each push. But for provenance, every provenance will have different timing info and likely will have different build steps/configuration. When some of your build materials get updated, it doesn't need to change the final image (in the most basic case, not all git commits change the final binary).