fixup! Mention ext can't contain a signature itself

Signed-off-by: Aditya Sirish <[email protected]>

Author: adityasaky

envelope.md

@@ -88,7 +88,9 @@ Essentially, if a required extension in some context is missing or if a consumer
 does not recognize the extension, verification MUST fail closed.
 
 Finally, the opaque `ext` MUST NOT contain a DSSE envelope to avoid recursive
-verification of extensions and signatures.
+verification of extensions and signatures. Similarly, the `ext` MUST NOT provide
+the signature bytes itself, but MUST only contain information required to verify
+the signature recorded in `sig` field.
 
 ### Parsing rules