use 'dsse' as the default rekor type when signing

[bdehamer]

Fixes #526
Replaces #552

Summary

Updates @sigstore/sign to use "dsse" as the default Rekor type when submitting DSSE-wrapped payloads. This replaces the current "intoto" type currently in use.

NOTE: Do not merge until the necessary support has been added to the rest of the stack accepting npm provenance statements.

[changeset-bot]

🦋 Changeset detected

Latest commit: b7bcdba

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sigstore/sign	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[haydentherapper]

Hey! Just wanted to check if you know when this can be merged.

[bdehamer]

@haydentherapper I don't think we're quite ready to make the dsse Rekor type the default just yet -- this has implications for some of the older versions of npm which have versions of this library bundled (don't want to get in a position where older clients aren't able to verify newly signed packages). I'm not sure what the exact trigger will be, but when the usage numbers for some of those older npm versions start to dip we will consider switching the default.

That said, GH is about to deploy a new usage of this library where we will be using the dsse Rekor type exclusively.