Add multiple verification levels to `read_ledger.py`

[eddyashton]

We can detect more potential corruptions of ledger files at the cost of increased computation. Currently we have a single --insecure-skip-verification flag, which disables all verification. This is required for reading isolated files, but means we do minimal verification of the result. We could do better, and be more explicit about a "no verifiation, just try to parse" mode.

Specifically, we can: validate nothing, validate the offsets table, validate each transaction's header (size points to the next offset, version and flags are allowed values), validate the merkle tree in each signature (trust the first, confirm the mini-tree in each subsequent siganture matches), validate the signatures themselves (trust the node certs in each signature transaction, enforce invariants of reconfigurations within the seen files). I don't know if all of these are worth exposing as separate options, but since they are (roughly) ordered in increasing computation cost I think the final setting is a monotonic level rather than distinct flags.