journalctl: verify that old entries are not sealed with too recent key (#28885)

journalctl: verify that old entries are not sealed with too recent key (#28885)

When verifying seals produced with forward secure sealing, the verification
currently does not check that old entries are only sealed with the key for
their epoch and not a more recent one. This missing check allows an attacker
to remove seals, and create new ones with the currently available key, and
verify will claim everything is in order, although all entries could have
been modified.

This resolves CVE-2023-31439.

Co-authored-by: Felix Dörre <felix.doerre@kit.edu>