I dug into this a bit more today. I think our best path forward in the short term is to simply add a docker worker task that runs in either the
ship phase of a release (depending on whether or not we think we'll ever overwrite artifacts), and runs
tl verify on all the artifacts in the a releases directory. This short term method means we won't be verifying CoT - but it will be much quicker to bootstrap.
Down the line, if we want to verify CoT we can switch from docker worker to a scriptworker.
I've got something locally that's about half done, that uses a SHA256SUMS file to generate a bunch
tl verify commands, and I'm currently working on getting it scheduled in Taskcluster. The script will need some tweaks after https://github.com/transparencylog/tl/issues/27 is done, so we can verify based on the hashes in SHA256SUMS instead of needing files on disk.