This ratchets verification down slightly: we reject the payload even if signed if it doesn't match one of our known attestation types, rather than expecting the caller to check the attestation type.
The caller can still further filter verification, e.g. by rejecting attestation types known to pypi-attestations but not supported by the caller.
This ratchets verification down slightly: we reject the payload even if signed if it doesn't match one of our known attestation types, rather than expecting the caller to check the attestation type.
The caller can still further filter verification, e.g. by rejecting attestation types known to
pypi-attestations
but not supported by the caller.WIP; needs tests.