chore: apply to the website add tutorial for PEM signing with certificate chains

[Skarlso]

What this PR does / why we need it

This is a 1:1 port over from the website pull request here open-component-model/ocm-website#795 into the monorepo.

Which issue(s) this PR fixes

Testing

How to test the changes

Verification

• I have tested the changes locally by running ocm

[netlify]

✅ Deploy Preview for ocm-website canceled.

Name	Link
🔨 Latest commit	04846e2
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/69dcec57f4e1cf0008e3f879

[coderabbitai]

Warning

Rate limit exceeded

@Skarlso has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 56 minutes and 41 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 56 minutes and 41 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4a9a45f2-0a80-45ea-bdaa-3665b0982eb7

📥 Commits

Reviewing files that changed from the base of the PR and between f69cf13 and 04846e2.

📒 Files selected for processing (3)

• .github/config/linkspector.yaml
• .github/config/website-linkspector.yaml
• .github/workflows/markdown.yml

📝 Walkthrough

Walkthrough

Reorganizes signing/verification docs into a new tutorials/signing/ subtree (plain + PEM), updates cross-references across many docs, adds PEM tutorial and trust-model content, tweaks plain tutorial metadata and warning formatting, adjusts sidebar SCSS indentation, and normalizes page resolution in the Hugo sidebar partial; also updates linkspector configs to only check modified files.

Changes

Cohort / File(s)	Summary
Top-level doc index & cross-references website/content/_index.md	Updated action link to point at the new plain-signing tutorial.
Cross-reference updates website/content/docs/concepts/transfer-concept.md, website/content/docs/how-to/air-gap-transfer.md, website/content/docs/how-to/generate-signing-keys.md, website/content/docs/how-to/verify-component-version.md, website/content/docs/tutorials/advanced-component-constructor.md, website/content/docs/tutorials/configure-resolvers.md	Repointed multiple signing-and-verification links to docs/tutorials/signing/plain.md.
New & updated signing tutorials website/content/docs/tutorials/signing/_index.md, website/content/docs/tutorials/signing/plain.md, website/content/docs/tutorials/signing/pem.md	Added signing index, renamed plain tutorial metadata and warning formatting, and introduced a comprehensive PEM tutorial (workflows, examples, troubleshooting).
Concepts doc website/content/docs/concepts/signing-and-verification-concept.md	Changed PEM wording from "experimental" to "early access", updated messaging, and added a Trust Models section (Plain vs PEM).
How-to: sign component website/content/docs/how-to/sign-component-version.md	Added "Advanced: Choosing an Encoding Policy" describing Plain vs PEM usage, signer-spec example, and .ocmconfig requirements for PEM chains.
Sidebar styles website/assets/scss/common/_sidebar.scss	Adjusted nested sidebar padding: ul.list-nested details { padding-left: 0 } and nested lists get padding-left: 1rem.
Sidebar rendering logic website/layouts/_partials/sidebar/render-section-menu.html	Normalize $page from $node.Page/$node and use $page for ancestor/equality checks, collapsed-state and child enumeration.
Linkspector / CI configs .github/config/linkspector.yaml, .github/config/website-linkspector.yaml, .github/workflows/markdown.yml	Added modifiedFilesOnly: true and excluded website in one config to constrain link checking to changed files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(markdown): add markdownlint CI job and fix lint violations #1753 — touches the same GitHub Actions markdown/linkspector workflow configuration.
• feat: unify workflows, remove duplications and update packages for the website #2231 — also modifies markdown/linkspector workflow behavior (related config changes).

Suggested labels

area/documentation

Suggested reviewers

• jakobmoellerdev
• frewilhelm

Poem

🐇 I hopped through docs and taught the trail two ways,
Plain keys led the path, PEM brought chains ablaze.
Sidebars straightened, nested leaves in line,
Tutorials sorted neatly—everything's just fine.
A little rabbit cheers, with ink and tiny paws.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title describes adding a PEM signing tutorial, which is a core focus of the changeset, but includes the vague phrase 'apply to the website' which creates minor ambiguity.
Description check	✅ Passed	The description clearly explains this is a 1:1 port of website documentation changes and references the source PR, directly relating to the PEM signing tutorial additions throughout the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@website/content/docs/tutorials/signing/pem.md`:
- Around line 549-551: The troubleshooting section currently runs the command
"openssl verify -CAfile root.crt -untrusted intermediate.crt leaf.crt"
unconditionally which breaks Option A (where intermediate.crt is not created);
change the doc so that the second verification is executed only if an
intermediate certificate exists — either by adding a short conditional note
instructing users to run that command only when they followed Option B (or the
intermediate file is present) or by replacing the unconditional command with a
sentence that says "If you created intermediate.crt (Option B), run: openssl
verify -CAfile root.crt -untrusted intermediate.crt leaf.crt" so readers
following Option A won't see a failing command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 776ff61d-3717-483a-bd47-09e16ddc2db6

📥 Commits

Reviewing files that changed from the base of the PR and between 677f6c5 and dc36e4b.

📒 Files selected for processing (14)

• website/assets/scss/common/_sidebar.scss
• website/content/_index.md
• website/content/docs/concepts/signing-and-verification-concept.md
• website/content/docs/concepts/transfer-concept.md
• website/content/docs/how-to/air-gap-transfer.md
• website/content/docs/how-to/generate-signing-keys.md
• website/content/docs/how-to/sign-component-version.md
• website/content/docs/how-to/verify-component-version.md
• website/content/docs/tutorials/advanced-component-constructor.md
• website/content/docs/tutorials/configure-resolvers.md
• website/content/docs/tutorials/signing/_index.md
• website/content/docs/tutorials/signing/pem.md
• website/content/docs/tutorials/signing/plain.md
• website/layouts/_partials/sidebar/render-section-menu.html

[Skarlso]

Linkchecker now correctly only runs on modified stuff and the repo checker doesn't run on website stuff.

Nice. Worked
Website:

 Running linkspector stats ...  
  💀📊 Linkspector check stats
  ┌───────────────────────────────┬────────┐
  │ 🟰 Total files checked        │     11 │
  ├───────────────────────────────┼────────┤
  │ 🔗 Total links checked        │     12 │
  ├───────────────────────────────┼────────┤
  │ 🌐 Hyperlinks                 │     10 │
  ├───────────────────────────────┼────────┤
  │ 📁 File and header links      │      2 │
  ├───────────────────────────────┼────────┤
  │ ✉️  Email links (Skipped)      │      0 │
  ├───────────────────────────────┼────────┤
  │ ✅ Working links              │     12 │
  ├───────────────────────────────┼────────┤
  │ 🚫 Failed links               │      0 │
  └───────────────────────────────┴────────┘

Repo:

 Running linkspector stats ...
  No modified files to check, skipping checking. To enable checking all files set modifiedFilesOnly: false and rerun the check.