Stabilise `nix store verify`

[fricklerhandwerk]

This implements NixOS/rfcs#136. This issue is agreed-upon by the @NixOS/nix-team

Required changes:

• needs documentation on the default number of signatures required
  • also should say why it's important: copying a closure to a remote system loses the "ultimately trusted" bit, so before deploying, one will want to make sure it's fully signed
• signatures should be compared by key contents only, excluding names

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-09-04-nix-team-meeting-minutes-85/32608/1

[teto]

if one could get more details out of the command, would be nice as well. I wanted to investigate this message error: cannot add path '/nix/store/0df81zfsaqcbh7p81vqsvnqrq3j5h1i6-nixos-option' because it lacks a signature by a trusted key. My path is signed but I am not sure with which key

➜ nix store verify /nix/store/0df81zfsaqcbh7p81vqsvnqrq3j5h1i6-nixos-option
➜ nix store verify --sigs-needed 2 /nix/store/0df81zfsaqcbh7p81vqsvnqrq3j5h1i6-nixos-option
path '/nix/store/0df81zfsaqcbh7p81vqsvnqrq3j5h1i6-nixos-option' is untrusted
➜ nix store verify --sigs-needed 2 --verbose /nix/store/0df81zfsaqcbh7p81vqsvnqrq3j5h1i6-nixos-option
checking '/nix/store/0df81zfsaqcbh7p81vqsvnqrq3j5h1i6-nixos-option'...
path '/nix/store/0df81zfsaqcbh7p81vqsvnqrq3j5h1i6-nixos-option' is untrusted
# ^ here it should display the number of missing signatures at least