Evaluate verifying all artifacts in lockfile #5
Description
(from a conversation, cc @woodruffw )
Currently, pylock-attestations updates the attestation identities in the lockfile by iterating over the list of packages, selecting a single artifact from each package, downloading the provenance for that single artifact, and extracting the identities in that provenance. After that, it also verifies the provenance against the artifact's hash specified in the lockfile.
We could instead download the provenances for all artifacts, and verify all of them. The advantage is that there could be artifacts for the same package attested using different identities, so getting all the provenances would allow us to get all the possible identities. The disadvantage is performance: since some packages have dozens of wheels this would increase the number of provenance downloads and verifications significantly.