Validate DID by default in check command

[takuro-sato]

Summary

Make sign1util check automatically validate the embedded iss against the cert chain when --did is omitted, fix a swallowed-error bug in the resolver path, and stabilise the Makefile tests.

Changes

• cmd/sign1util/main.go
  • check: if --did is not provided, resolve the COSE document's own iss against the embedded chain and return any resolver error to the caller.
  • Fix := shadowing in checkCoseSign1 that previously dropped Resolve errors.
  • Scope DID resolution in checkCoseSign1 to callers that actually pass a didString, so unrelated commands (print, leaf, did-x509 -in) don't perform unwanted DID resolution.
• pkg/cosesign1/Makefile
  • Recipes that need a real DID (did-check, did-fail-subject) now derive it inline from chain.pem at recipe time. The previously-introduced AUTOPARSE_CHAIN toggle and shared ISSUER_DID variable are removed — they conflated the COSE iss label (a literal asserted by the unit test) with a verifiable DID.
  • Negative tests (did-fail-*) invert the expected non-zero exit with ! so the make target succeeds on a tool-level failure.
• pkg/cosesign1/Makefile.certs
  • Bump CA validity (root 3650d, intermediate 1825d, leaf 365d) to work around an upstream TODO in didx509go (CurrentTime: chain[0].NotAfter, see pkg/did-x509-resolver/resolver.go:36 TODO https://github.com/microsoft/didx509go/blob/main/pkg/did-x509-resolver/resolver.go#L36) that caused intermittent 1-second "current time after notAfter" CI failures when cert generation crossed a wall-clock second boundary. Failure example before the fix: https://github.com/microsoft/cosesign1go/actions/runs/26151406837/job/76919529317

Tests

make all and go test ./... pass locally.