SAS verification can end up as a success even though the SSK signature is never uploaded

[BillCarsonFr]

What is happening

• There is an existing device A
• The user wants to login a new device B

Device B starts an emoji verication with A
At the end of the process:

B will mark is own identity as verified OwnUserIdentityData::mark_as_verified. This will just make it as locally verified.

Device A, as the existing device, is the one that is responsible of signing the new device B with the ssk and to publih the
signature to the home server.

If for any reason, device A fails to sign and/or to publish the signature:

• A lost network
• A is turned off
• A do not have the private SSK
• Home server is having issues

Then B will forever think it is verified.
But it is not! The signature was never published. Yet, B think all is ok.

Rageshake of this scenario https://github.com/element-hq/element-x-android-rageshakes/issues/10069
B was seen as unverified by everyone. EXA was not warning me

Expected

As part of the verification process, device B should wait for the signature to be uploaded. I.e query it own key until it can see the verification signature published?

[BillCarsonFr]

I faced that problem while mx org was very slow.
So B was stuck for long and I restarted it (it did enter background mode).

It is possible that A didnt sent the verification done (?) msg, because it should do it after the signature is uploaded.

But yet if you kill/restart B when it is waiting for done it should clear the locally verified flag? resist to restart.

[BillCarsonFr]

Related to #1641 as you end up in a similar case where EX thinks it is verified, but nothing is published