Test verification of the different bundles we produce with current sigstore-python version

[jku]

It's clear that next sigstore-python will be able to produce bundles that older releases cannot verify (due to lack of rekorv2 support) -- but I'd like to be sure of the differences especially if we're adding #1471 where the purpose sort of is to produce "old style" bundles

I'm especially thinking about the timestamp support:

• we have not been using timestamps much but the verification code is already there
• now the signing code does add a TSA timestamp
• there are some details in the verification code that seem fishy (like the way we require a at least one verified time but if TSA timestamps are defined then we also require one of those to be valid...)