Clean up certificate timestamp comparisons

[haydentherapper]

Description

There are three places we compare certificates against SET or TSA timestamps:

• We aggregate all timestamps from SETs and TSAs and verify the certificate with https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/signed_entity.go#L505-L511
• The code signing certificate is compared against the TSA timestamp here - https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/tsa.go#L113-L117
• We verify the certificate against the SET here - https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/tlog.go#L177-L179

As noted in a comment, the latter two are unnecessary, and so should be removed.

[cmurphy]

I could be misunderstanding but I think each of these instances are different from each other and necessary:

Verify() -> VerifyLeafCertificate() (link) - aggregates SETs and TSAs and verifies them against the fulcio CA

Verify() -> VerifyObserverTimestamps() -> VerifyTimestampAuthority() -> verifySignedTimestamp() (link) - verifies each timestamp, if any, against the bundle certificates. The signed entity doesn't always have a timestamps issued by a TSA. I think the comment here is mistaken.

Verify() -> VerifyTransparencyLogInclusion() -> VerifyArtifactTransparencyLog() (link) - verifies the tlog entry time against the bundle certificates

@haydentherapper do you still think these are superfluous?