feat: wire GPG signing handler into CLI builtin plugins

[jakobmoellerdev]

Summary

Registers the GPG/OpenPGP signing handler (added in #2560) as a built-in CLI plugin alongside RSA and Sigstore.

PR #2560 explicitly deferred CLI integration to a follow-up — this is that follow-up.

• New cli/internal/plugin/builtin/gpg/register.go — registration shim mirroring the RSA pattern
• cli/internal/plugin/builtin/builtin.go — registers GPG plugin at CLI startup
• cli/go.mod — adds direct dependency on bindings/go/gpg
• cli/integration/signing_gpg_integration_test.go — CLI-level round-trip integration test covering:
  • Happy path: sign then verify
  • Dry-run: verify must fail after --dry-run, then succeed after real sign
  • Wrong key: verify with a different public key must fail
• website/content/docs/tutorials/signing/gpg.md — tutorial (weight 30, after plain.md/pem.md) covering GPG key generation, export, credential config, and sign/verify workflow

Test plan

• Build (cli) passes — go build ./... in cli/
• golangci-lint (cli) passes
• Integration Tests (cli) passes — Test_Integration_Signing_GPG round-trip with live OCI registry
• Spellcheck passes
• DCO passes

[coderabbitai]

Warning

Review limit reached

@jakobmoellerdev, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 15 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9a74b349-5660-41b5-ba9a-7486c6003db3

📥 Commits

Reviewing files that changed from the base of the PR and between 78bb161 and 22fe840.

⛔ Files ignored due to path filters (2)

• cli/go.sum is excluded by !**/*.sum
• cli/integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• cli/go.mod
• cli/integration/go.mod

📝 Walkthrough

Walkthrough

This PR adds GPG/OpenPGP signing support to the OCM CLI: it updates Go module dependencies, implements and registers a GPG signing plugin, adds an end-to-end integration test exercising sign/verify flows, and provides a user-facing tutorial documenting usage and best practices.

Changes

GPG Signing Plugin Integration for OCM CLI

Layer / File(s)	Summary
GPG Bindings and Crypto Dependencies cli/go.mod, cli/integration/go.mod	Adds ocm.software/open-component-model/bindings/go/gpg and promotes github.com/ProtonMail/go-crypto to a direct require in integration tests.
GPG Plugin Registration and Wiring cli/internal/plugin/builtin/gpg/register.go, cli/internal/plugin/builtin/builtin.go	Adds Register to construct the GPG handler and registers it via the signing registry; wires gpg registration into builtin plugin initialization.
GPG Signing Integration Test cli/integration/signing_gpg_integration_test.go	End-to-end test that generates OpenPGP keypairs, creates configs, uploads a component, and validates dry-run sign failure, successful real sign, and verification failure with a mismatched key. Includes helpers to generate and write armored keys.
GPG Signing Tutorial Documentation website/content/docs/tutorials/signing/gpg.md	New tutorial: key generation, .ocmconfig credentials, signer-spec, signing and verification CLI examples, best practices, FAQ, and cleanup steps.

Sequence Diagram(s)

sequenceDiagram
  participant CLI_Init as CLI Init
  participant Builtin as builtin.Register
  participant GPG_Reg as gpg.Register
  participant Handler as handler.New
  participant Registry as SigningRegistry

  CLI_Init->>Builtin: call builtin.Register()
  Builtin->>GPG_Reg: call gpg.Register(signingRegistry, config)
  GPG_Reg->>Handler: handler.New(nil)
  GPG_Reg->>Registry: RegisterInternalComponentSignatureHandler(handler)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• morri-son
• frewilhelm
• piotrjanik

Poem

🐰 A tiny rabbit hops with glee,
Keys and signatures for all to see,
Plugin stitched and tests that run,
Docs to teach what we have done,
Sniff the bytes — trust sets us free.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: wiring the GPG signing handler into the CLI builtin plugins, which is the primary objective of this PR.
Description check	✅ Passed	The description is directly related to the changeset, providing a clear summary of the GPG handler registration, affected files, test coverage, and documentation additions.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	22fe840
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a196a1c839315000807157f
😎 Deploy Preview	https://deploy-preview-2675--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.