Use stdout only for literal text of trusted content

[charles-dyfis-net]

Per POSIX conventions, stdout is for "conventional output", whereas stderr is for "diagnostic output". Diagnostic output is conventionally interpreted to include logs, status messages, prompts, or other content of interest to human operators, such that stdout can be directed through pipelines or redirections for programmatic consumption while stderr is routed directly to the human operator.

• When we are asked to verify a document and write that document to stdout, write only the document (not verification messages, not the trusted comment text) to stdout.
• When we are asked to verify a document and write only the trusted comment, that comment is our "conventional output" -- the thing we were invoked to generate -- and should be written to stdout without any prelude, header, explanatory content, etc.
• In modes where we aren't being invoked with the intention of generating some kind of well-defined output on stdout, keep all interaction on stderr to avoid potential for confusion.

-Q is modified from "pretty quiet" to instead be a directive to write the literal text of the trusted comment to stdout; this provides a programmatic way to retrieve that comment that doesn't require filtering/modifying output to separate the literal text from the explanatory prose.

[charles-dyfis-net]

I think there's a bug in here -- getting an extra CRLF on stderr and signatures generated on stdout without a trailing newline. Withdrawing to draft for now.

[charles-dyfis-net]

On further investigation, that trailing-newline delta is present on main without this PR merged; it's thus not a new bug. Reopening.