verifier-install: re-verify the binary on cache hits

[bordumb]

A cached or cross-run-restored auths binary was returned without checking it,
so a poisoned cache entry would run unverified — and for a verification action
a tampered binary can report success for everything. Both cache paths now
re-verify the binary against the release checksum before use, and a checksum
failure on a restored binary is surfaced rather than swallowed as a routine
cache miss. Adds adversarial tests for tampered tool-cache and cross-run-cache
entries.

[github-actions]

Auths Commit Verification

Commit	Status	Details
6aee0cba	❌ Failed	Commit carries no Auths-Id/Auths-Device trailer — it was not signed by auths sign (or predates KEL-native signing). Nothing to verify against.

Result: ❌ 0/1 commits verified

---

How to fix

Commit 6aee0cba has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

[bordumb]

Merged into main directly as d163de3 (rebased onto origin/main to reconcile with a concurrent docs commit).