If this operation is using an algorithm suite with a signature algorithm,
all plaintext decrypted from regular frames SHOULD be released as soon as the above calculation,
including tag verification, succeeds.
Any plaintext decrypted from unframed data or a final frame MUST NOT
be released until signature verification successfully completes.
per https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/client-apis/decrypt.md If streaming decrypt: