Improve clarity that the publicKey field accepts an X509 certificate

[eddiezane]

Description

Several folks have been caught up by the fact that the publicKey field accepts an X509 cert.

sigstore/sigstore-python#66

wlynch/smimecosign@501b643

Had the same confusion writing sget.

- @imjasonh

We should consider creating a new field or renaming it.

I think this is specific just to HashedRekord and derivatives?