Support inclusion of expected identities #16
Description
When package authors sign their module, we should allow them to include the expected identities of any signed dependencies they rely on.
Currently pkgsign requires the end user to indicate their trust of each individual signer in a package tree; that is, they need to indicate their trust of not only the authors of packages they use, but the authors of the dependencies those packages use.
When packages include expected identities, we should implicitly trust that package given that verification passes and the expected identity matches the actual identity (and the public key of the actual identity verifies the content). We could also perhaps introduce a --strict mode which turns this behaviour off, for users that want to manually trust each author individually.
Identities part of implicit trust via expected identities are not added to the trust store, and are only valid for the particular package that has the expected identity mapping.