EPIC: Develop OCM Signing Transformations and Basic Verification Command with `RSA-PSS`

[jakobmoellerdev]

Description
What is the goal of this epic?

The goal of this epic is to establish a robust, automatable signing transformer with RSA-PSS in mind.

This transformer should:

• use a sign / verify implementation that is working with parameters: https://github.com/open-component-model/pocm/pull/37/files#diff-891ff3dda2418e93cb16e81e91e71bbb2838d8960296fe3c32819da18eab48b9
• These parameters should accept
  • Private Key / Public Key Lists
  • Pinning Options

This will alow RSA based signing / verification with RSA PSS. To ensure consistent signatures, this will also require implementation of a normalization binding library with jcs based on jsonNormalisation/v3 from old OCM. Theres a reference implementation here with https://github.com/jakobmoellerdev/pocm/blob/ec30398a9c36eb6563d0e96108c22c66001ea94e/bindings/golang/normalisation/json/v3/normalisation.go

User Story
As an OCM User, I want to be able to dynamically sign component versions with or without recursion into child component versions. At the same time I want to be able to verify those Component Versions after signing them indempotently

Scope
List all deliverables that are part of this epic. The Epic is considered DONE if all of the below mentioned deliverables are available.

• Signing Component Versions (Recursively) with RSA-PSS is working with key parameters. Selected parameters from old OCM may be omitted but must be documented
• Support for specifiyng signature names is given
• Verifying Component Versions (Recursively) with RSA-PSS is working with key parameters. Selected parameters from old OCM may be omitted but must be documented
• RSA-PSS Signature Handling is available as a library
• JCS Normalizastion and Hashing of Component Descriptors is available as a library

Out of Scope

Anything other than jsonNormalisation/v3 is out of scope. (no other normalisation algorithms)
Support for TSA (Time Stamping Authorities) based signatures.
Keyless signing

Prerequisites

This can only be implemented when the CLI supports

• Loading Component Transformer Plugins
• Has the Capability to hash a v2 Component Descriptor