Add `ed25519` sign/verify

Test build in OBS has been tested manually with ostree-based image.

Approach is pretty simple: have a common interface for signing, with implementation of particular sign/verify in separate modules.

• could co-exists with current GPG implementation
• allows to store and use multiple signature types in detached metadata in the same time
• --with-libsodium is needed to build with support of ed25515 signature mechanism

Current status:

• added the very first version of signing interface
• added "dummy" signing module
• added new builtin ostree sign (inspired by "ostree gpg-sign") allowing to sign and verify commits
• able to do ostree commit with signing
• able to ostree sign commits with dummy and ed25519 signing modules
• able to verify commits with ostree sign --verify
• able to check the signature commit while pulling from http-server with dummy and ed25519 modules
• added tests for commits signing/verification and pulling verification

New configuration keys:

• sign-verify -- global and per-remote to trigger verification for OTA updates
• verification-key -- per-remote -- for ed25519: base64 encoded public key to use for verification
• verification-file -- per-remote -- for ed25519: file with the list of base64 public keys to use for verification

Also added "well-known" system places for ed25519 public keys -- expected 1 base64 key per line:

• files
  • /etc/ostree/trusted.ed25519
  • DATADIR + /ostree/trusted.ed25519
• and directories:
  • /etc/ostree/trusted.ed25519.d
  • DATADIR + /ostree/trusted.ed25519.d

Current logic for verification during the commits pulling:

• use verification-key if it exists in configuration
• use verification-file if it exists in configuration
• check public keys from well-known system places

not implemented:

• summary file signing/verification
• not integrated into all places there GPG already interated