Perform X509 revocation check in signature verification

[rgnote]

Signature verification needs to perform x509 revocation check (CRL/OCSP) and fail if a certificate in the chain is revoked.

See https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#certificate-revocation-evaluation

[yizha1]

Update the milestone to rc-3 based on the discussion.