verifier/ should test with certs that have invalid signatures.

[dadrian]

We're at about 87% test coverage in the verifier package, the remaining coverage is almost exclusively limited to testing lines that check signatures of certificates with matching subject/issuers. We need to write some tests that make valid-looking certificates, but with bits flipped in the signature. Given that the signature checking function is tested in x509/, we have low risk of being incorrect here, but I'd like to have this covered. Having these tests will prevent us from accidentally reversing our error handling, since that's easy to do in Golang due to it's lack of option types.