SLSA v1: unify "Verifying Artifacts" across provenance and spec

[MarkLodato]

Right now the steps to verify an artifact is split between two pages:

• https://slsa.dev/provenance/v1#verification --- Detailed steps how to verify
• https://slsa.dev/spec/v1.0/verifying-artifacts --- Broader picture with fewer details, plus an assignment between Package Ecosystem vs Consumer that may not be accurate (e.g. what if the Consumer does the verification)

@joshuagl and I discussed discussed a possible reorganization:

• Move all of the content to the spec, with the provenance page just linking there. This way there's no jumping back and forth.
• In the spec, say that we assume the reader is using slsa.dev/provenance/v1, but explain that if they are using something else they need to do the equivalent. This would also force us to explain each step to say why we're doing it.
• Organize the page as follows (not sure of section titles):
  • Overview / what the purpose of verification is
  • Talk about architecture options:
    • package ecosystem vs consumer --- we recommend moving the work to the ecosystem but it's not mandatory.
    • upload time vs install time vs monitoring (first half of Verifying Expectations)
  • How to verify = merge content from provenance/v1#verification plus second half of Verifying Expectations
• Remove Provenance Distribution since that is out of place (already found on Producing Artifacts)

[kpk47]

Addressed with #675