Implement signature verification

[TerryHowe]

This would involve:

1. Fetching the image manifest and signatures
2. Verifying signatures using the provided GPG keys
3. Checking identity matching rules

[shizhMSFT]

I'm worried about supporting them directly as they will introduce uncontrollable dependencies. If we do want to support them in the future, it is better to have proper interfaces and let the SDK user to wire them to oras-go with documentation / tutorials.

Original comment: #1013 (comment)