cli: Support friendlier syntax for verify pypi command

[facutuesca]

Rather than specify the full pythonhosted.org url for artifacts, now verify pypi also supports the friendlier syntax $PKG_NAME/$FILE_NAME

pypi-attestations verify pypi --repository https://github.com/sigstore/sigstore-python \
  sigstore/sigstore-3.6.1-py3-none-any.whl

This fixes #84

[facutuesca]

@woodruffw wdyt about the syntax? $PKG_NAME/$FILE_NAME is sort of ambiguous (since it does look like folder/file). An alternative could be adding a prefix to the "path", something like pypi:sampleproject/sampleproject-1.0.0.tar.gz

[woodruffw]

Yeah, I think this is too confusing 😅 -- having it be shorter is great, but I think you're right that it's too confusable with a local path.

Adding a prefix like pypi: would work, although IMO in that case we could drop the project/ entirely since just the wheel name should be fully unambiguous/resolvable for us (since we can parse the project from it). Thoughts? I don't love inventing new syntax for this, but given that it's an experimentation-only CLI I think it's not the worst option.

[facutuesca]

Yeah that makes sense. So it would look like:

pypi-attestations verify pypi --repository $REPO pypi:sample_project-1.0.0.tar.gz

Another option is to not use positional arguments, but options with values:

pypi-attestations verify pypi --repository $REPO --artifact-name sample_project-1.0.0.tar.gz
# and
pypi-attestations verify pypi --repository $REPO --artifact-url https://files.pythonhosted.org/....

It's not consistent with the other commands (where there is usually a positional argument for the artifact being signed over/verified), but it does make things less ambiguous. WDYT?

[woodruffw]

The first form looks good to me!