Document commands to sanity-check certs before submitting to trust list

[crandmck]

The main command we run to validate a submission is:

c2patool ./image.jpg trust --allowed_list ./cert.pem

This has the usual output you would expect. What I'm looking for here is that there is no validation_status field which would indicate an error. Here's an example of an error:

  "validation_status": [
    {
      "code": "signingCredential.untrusted",
      "url": "Cose_Sign1",
      "explanation": "signing certificate untrusted"
    },
    {
      "code": "general.error",
      "url": "self#jumbf=/c2pa/urn:uuid:12c0239b-7519-474c-bb26-b3ee29920c59/c2pa.signature",
      "explanation": "claim signature is not valid: CoseCertUntrusted"
    }
  ]

Additionally, the submitter should verify that the signature_info.issuer field on the manifest is correct. That's what will show up on Verify. For one of the test images today:

$ c2patool ./image.jpg trust --allowed_list ./cert.pem | jq '.manifests[].signature_info.issuer'
"XYZ INC."

Additionally, they can do some basic verification of the cert they're submitting. On submitted certificates, I run (relies on ripgrep, any grep will do):

openssl x509 -noout -text -in 'cert.pem' | rg 'Subject:'

The example output for one of the certs today:

$ openssl x509 -noout -text -in 'cert.pem' | rg 'Subject:'
        Subject: organizationIdentifier=XYZ-7155227, C=US, ST=Delaware, L=Dover, O=Whatever Inc., SN=xxx, GN=xxx, CN=xxx

In particular, the O= should be correct (that's also what ends up in the signature_info block).