Consider including the unfulfilled identity requirement on `prSignedBy` identity mismatches

[mtrmac]

Currently identity mismatches fail just with https://github.com/containers/image/blob/e3293eaa4a81a99f33d1fda1eb9495aec722043f/signature/policy_eval_signedby.go#L66 which contains the identity from the signature, but does not say what would be accepted.

That information can be found in the policy, but it would be useful to make that easier, especially if there are multiple policy requirements that apply to a single image.

That would involve:

• Modifying PolicyReferenceMatch to return an explanatory text for the kind of match that is expected (which is not just a single identity for *Repository matches, even more complex for the default prmMatchRepoDigestOrExact or for the future contemplated “remap namespace” facility)
• Restructuring prSignedBy so that a call to prSignedBy.isSignatureAuthorAccepted directly includes that explanatory text, but prSignedBy.isRunningImageAllowed only includes that text once if there are multiple signatures, in order to not make the output nonsensically large. OTOH the text must make sense if some of the signatures fail an identity check, and some signatures use an untrusted key, and some fail for another reason.

The latter part seems fairly tricky.