feat: integrate WebAssembly component signing with dual-layer security

- Add wasmsign2 component signing integration using rules_wasm_component
- Implement OCI image signing with Cosign keyless signing (GitHub OIDC)
- Create dual-layer security model: component + container manifest signing
- Add signature verification rules and comprehensive security documentation
- Update CI/CD pipelines to build and publish signed components
- Support both signed and unsigned variants for different security requirements
- Include verification keys and comprehensive verification instructions

Author: avrabe

.bazelrc

@@ -56,7 +56,6 @@ build:release --copt=-O3
 build:release --copt=-DNDEBUG
 
 # Security settings
-build --experimental_enable_runfiles_with_generated_files
 build --incompatible_run_shell_command_string=false
 
 try-import %workspace%/.bazelrc.local

.github/workflows/ci.yml

@@ -67,6 +67,14 @@ jobs:
       run: |
         bazel build //tinygo:file_ops_component_wasm
         
+    - name: Build Signed WebAssembly Component
+      run: |
+        # Generate signing keys and build signed component
+        bazel build //tinygo:component_signing_keys //tinygo:file_ops_component_signed
+        
+        # Verify the signature
+        bazel build //tinygo:verify_file_ops_signature
+        
     - name: Validate WebAssembly Component
       run: |
         # Install wasm-tools if not available
@@ -75,9 +83,13 @@ jobs:
           sudo mv wasm-tools*/wasm-tools /usr/local/bin/ || mv wasm-tools*/wasm-tools.exe /usr/local/bin/
         fi
         
-        # Validate the generated WebAssembly component
+        # Validate the unsigned WebAssembly component
         wasm-tools validate bazel-bin/tinygo/file_ops_component_wasm.wasm
         wasm-tools component wit bazel-bin/tinygo/file_ops_component_wasm.wasm
+        
+        # Validate the signed WebAssembly component
+        wasm-tools validate bazel-bin/tinygo/file_ops_component_signed.wasm
+        wasm-tools component wit bazel-bin/tinygo/file_ops_component_signed.wasm
 
     - name: Upload TinyGo Artifacts
       uses: actions/upload-artifact@v4
@@ -86,6 +98,8 @@ jobs:
         path: |
           bazel-bin/tinygo/file_ops_tinygo*
           bazel-bin/tinygo/file_ops_component_wasm.wasm
+          bazel-bin/tinygo/file_ops_component_signed.wasm
+          bazel-bin/tinygo/component_signing_keys*
         retention-days: 7
 
   # Build and test Rust implementation