sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
The documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked.