Push certificates for new/updated changes contain commands for
refs/for/*, even though that ref is not created. This means if we
store such certificates in PushCertificateStore, we can't use the
history of push certs on that ref to reconstruct anything like a
reflog. It would be confusing to see in refs/meta/push-certs a push
cert mentioning refs/for/* either on that ref (which doesn't exist) or
refs/changes/* (which is a completely unrelated refname).
Pushing to refs/for/* and having the data become a patch set is a
detail of the Gerrit model, so it makes sense to store the cert in the
same place as the patch set SHA-1 itself, namely the PatchSets table.
Change-Id: I51924054742fbd31b1abcce1ccdcf9bce76642ac
a11b59c424