fix!: move verification to resolution service

[frewilhelm]

What this PR does / why we need it

This PR refactors signature verification logic by moving it from the component controller to the resolution service (worker pool). This centralizes verification and improves separation of concerns.

Key Changes

• Worker Pool: Implements complete signature verification logic with new ErrNotSafelyDigestible error type to distinguish safely digestible components from verification failures.
• Controllers: Remove verification methods and delegate to resolution service; updated error handling to gracefully handle non-digestible components.
• Cache Repository: Passes verification configurations, the digest specification of a component reference from the parent component, and signing registry to worker pool for centralized handling and trusted cache keys.
• Component reference integrity: If the component reference provides a digest specification, we re-generate the digest of the child component descriptor to ensure integrity.

Benefits

• Centralized verification logic reduces duplication across Component, Resource, and Deployer controllers
• Improved error handling with consistent behavior across all controllers
• Better separation of concerns: controllers orchestrate, resolution service verifies

Which issue(s) this PR fixes

Fixes open-component-model/ocm-project#787

Summary by CodeRabbit

• New Features

  • Digest- and signature-aware component resolution and verification.
  • Helm nested-signed example with sample repository, component, resource, deployer and signing keys.
  • Resource reconciliation Interval field for finer cadence control.

• Improvements

  • Non-fatal event signaling for digest/integrity issues.
  • Metrics now include verification state for better observability.
  • CRD description clarified for the signature field.
  • New condition reporting for component drift resolution.

• Tests

  • Expanded signing, verification, nested-resolution and cache/metrics test coverage.

[Skarlso]

I'm doing some nicification here and there and a general facelift going over the entire change.

I'll try to make it brief though. Hopefully, I can actually reduce the complexity here somewhat. I see that we actually don't need some of these things that we did here. So I'm going to give this a general facelift.

I will avoid changing too much though because I don't want people to have to re-read the entire thing. So I'll do one commit that you can view that will contain all the changes.

[Skarlso]

Here are the refactored changes that hopefully make the code a bit better and more readable.
83bf3da

I found a couple of things:

• newCacheBackedRepository removed -> this was literally not needed
• ResolveReferencePath params -> we already had RepositoryOptions that contained everything
• findMatchingReference and extractDigest -> extracted from the ResolveReferencePath loop
• identityFunc -> this was a straight duplicate of ocm.IdentityFuncIgnoreVersion()
• some duplication on constructing RepositoryOptions in the deployer's getEffectiveComponentDescriptor
• fixed bug -> errReferencePath was actually wrapping the wrong error :D