Implement & Test `ocm sign componentversion`

[jakobmoellerdev]

Goal
Enable OCM users to sign and verify component versions based on normalized descriptors, following ADR-0008 and the ComponentSignatureHandler contract.

Scope

• Implement signing for component descriptors with pluggable handlers (default: RSASSA-PSS/v1alpha1).
• Ensure descriptors are normalized and digested before signing.
• Integrate with OCM credential graph for key resolution.
• Provide CLI support via --signer-spec and --verifier-spec.
• Example handler: RSA-PSS using PEM-based credentials (private_key_pem_file, public_key_pem_file).
• Recursive resolution of References (and resources) to confirm Digests as per OCM Spec
• Integrate support for filesystem configuration (working dir)

Out of Scope

• Automatic completion of missing digests (reject incomplete CVs for now)
• Two-step signing flow (ocm add digest + pinned ocm sign).
• Full Doc generation (do manual documentation for now)

Done Criteria

• Implement ComponentSignatureHandler plugin (Sign, Verify, credential resolution) using the handler.
• Wire RSA-PSS handler into CLI (ocm sign componentversion, ocm verify componentversion).
• Unit tests for signing, verification, and credential resolution.
• Integration tests covering full flow (sign + verify).
• Remove obsolete tests, update suites as required.
• Update end-user docs with CLI usage and config examples.
• Update internal developer docs with handler contract and plugin guidance.
• Reviewed and demoed successfully.

[fabianburth]

@jakobmoellerdev think about ways to split this.