Improve signature verification

Building on !12 (closed), this adds some documentation around the signature verification process, refactors and fixes a few things so that adding support for other hash algorithms is possible, and hardens parsing of metadata by making sure that it can only happen during processing of the control section.