Verify noir release attestations on download

[TomAFrench]

Noir binaries are now attested to as being built in github actions.

One really nice addition to noirup would be for it to:

1. Check if the user has gh installed
2. If so, if the download is coming from the main noir repo, verify the downloaded tar against the attestation.
   a. Halt installation and show a warning to user if it fails.
3. If not, print a warning to the user that the download is unverified and suggest that they install gh but continue with install.

We should also have an --allow-insecure flag which allows skipping the attestation. This will be necessary to allow installing older releases.

The command for verifying is:

gh attestation verify --owner noir ./noir-tarball-path