sigsum-submit: Verify public availability of signed content before submision

It is okay if I make a mistake and sign some corrupt tarball: I can explain this situation if I still have the corrupt tarball. But if I run a set of commands to sign some artifact that I accidentally remove, then things are really bad for that key.

To reduce the risk for mistakes, when using your actual release signing key, it makes sense to ensure that the artifact is reliably archived, before signing and submitting it to the log. Maybe we can add some features to sigsum-submit to help, e.g., accept both a url and a local file as argument, and ensure that they are identical before signing, or maybe even upload directly with the archival service if we can define the conventions for that.

Yes, I think that this combined functionality would be nice. Since the "no hidden release" property appear to depend so strongly on a workflow that forever only adds signatures for publicly available content, the tools can help to assert that before completing the upload.

I'm thinking something like this:

ssh-add -L > jas.pub
sigsum-submit -k jas.pub libidn2-2.3.8.tar.gz
sigsum-submit --timeout 30s --diagnostics=debug -p
 sigsum-policy-20250309.txt --token-signing-key
 ~/self/sigsum-token-secret-josefsson.org/mykey --token-domain
 josefsson.org --content-url
 https://ftp.gnu.org/gnu/libidn/libidn2-2.3.8.tar.gz
 libidn2-2.3.8.tar.gz.req

The tool should attempt to download the URL and verify that its SHA256 checksum match the 'message' field in the *.req file.