cosigned may improperly block multi-arch images

[mattmoor]

Description

As I was thinking about #784, this was another (largely orthogonal) thought

tl;dr cosigned only verifies root-level signatures, which for multi-arch indices may not be where the signatures live!

As we deal with multi-arch images, the signatures may exist deeper in the tree than on the tagged entity itself, so unless we do recursive verification this is going to be limiting. We also don't necessarily know which arch/platform/os to resolve for the image (consider heterogeneous clusters).

I think the check we really want here is: "every leaf image or one of its containing indices satisfies the check we are performing."

Right now, all we check is "is it signed?", so this is simpler, but if/as this expands into the broader policy space, this will get complicated fast.

[haydentherapper]

Closing as outdated, @mattmoor lemme know if this is still relevant.