Support Signing with passphrase protected GPG Keys

[voigt]

Description

Signing a component via ocm sign componentversion does not offer an option to provide a passphrase protected GPG key, which prevents reusing existing key material in some cases. I therefore request a feature for handling GPG keys which are passphrase protected.

Rationale

The OpenBao project wants to start distributing OpenBao artifacts via OCM (see #74).

For artifact signing the project usually uses a passphrase protected GPG key. With a lack of this feature, we are unable to reuse our well known and trusted key.

[jakobmoellerdev]

In general this feature can likely be accepted. Do you plan to use an ASCII armored gpg key? or a keychain? Only issue is that for PGP support we will likely need a separate library such as https://github.com/ProtonMail/go-crypto.

On top of that we would need to either extend the existing CLI with a separate flag or enhance the encoding of private keys to allow for passing of a keyphrase somehow. This requires a bit of thinking

[jakobmoellerdev]

Premature DOD:

• --private-key-passphrase as an additional CLI flag, that gets passed to the Signing Handlers Signing Context
• --private-key-type as a potential separator to differentiate gpg or regular private keys or alternatively automatically discover key type
• Take learnings from this Implementation and apply this to a new Issue for OCMv2
• Likely requires a little of exploration to find a good way to integrate this

[jakobmoellerdev]

We're gonna tackle this as soon as we can but still have some loose ends to follow.