Crypt::sign() and Crypt::verify() for hash_hmac.

[JonathanGawrych]

Right now in Laravel you can encrypt and decrypt strings, but you cannot sign and verify strings, mostly. Laravel's signedRoutes provides hmac signature verification, but only for routes.

We have manually added signing and verification in our code. As a part of upgrading to Laravel 11 we were looking into key rotation, but realized that while signed routes has recently been upgraded to support app key rotation, our manually signings wouldn't work. We also noticed that in a couple places we were using === rather than hash_equals() opening ourselves to timing attacks. We looks on packagist for something that would work, but found nothing.

It'd be great if Crypt could have sign() and verify() methods to check if a signature is valid, while supporting key rotation, expiration, and best security practices. It'd be further helpful if it could also have signJson(), signQuery() and verifyJson(), verifyQuery() that would properly add and remove the signature to an existing json or query string, so that we wouldn't have to do it ourselves. Finally a hmac verification on Validator would be welcome.

If this idea seems good, I'd be happy to work on a PR.
Thanks!