Client libraries should verify after signing

[znewman01]

In the Sigstore clients special interest group meeting today, we discussed an issue with the release signatures on CPython.

We have two recommendations for client libraries:

1. After signing, the clients MUST verify the signature (see Sigstore client spec). 2.
2. Client library interfaces SHOULD allow callers to specify an identity (and other verification parameters) to use for this verification.

I'm going to be a bit lazy (sorry) and rather than inspecting every client library by hand, just ask whether you're doing the these and, if not, whether you all agree with these recommendations.

[bdehamer]

Currently, sigstore-js does neither of these things. However, I agree with the recommendations.

I'm working on refactoring a lot of the verification logic and will be sure to incorporate these requirements.