Enhanced verification flow

[mhdawson]

Description

I think a typical use case will be a project that has N people who are authorized to sign artifacts (releasers in the case of the Node.js project - https://github.com/nodejs/node#release-keys) and the end user wants to be able to easily validate that one of those people have signed an artifact.

I think in the simplest flow where ephemeral keys have been used (which I think is really nice in that certificates don't have to be stored/managed), the equivalent is that the user will want to verify that the artifact has been signed by any one of a list of emails.

sigstore-python has the option -cert-email but that only validates against a single email which does not quite fit this use case. Instead something like a --cert-emails that allows you to provide a list or file containing a list of emails would simplify the verification.

[bdehamer]

I'm working now to beef-up the verification flow right now and will definitely be adding support for signer identity verification (including the ability to supply a list of "authorized" signers).

[mhdawson]

@bdehamer thanks for the update :)