Initial signing support (#1345)

* Add CLI options

* Add manifest types

* Thread signature policy through to fetchers

* Thread signing section through from metadata

* Implement signing validation

* Clippy

* Attempt testing

* Yes and

* Why

* fmt

* Update crates/bin/src/args.rs

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* Update crates/binstalk-fetchers/src/gh_crate_meta.rs

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* Update crates/bin/src/args.rs

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* Update crates/binstalk-fetchers/src/signing.rs

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* Update crates/binstalk-fetchers/src/signing.rs

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* Update crates/binstalk-fetchers/src/signing.rs

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* Update crates/binstalk-fetchers/src/signing.rs

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* fixes

* Finish feature

* Document

* Include all fields in the signing.file template

* Readme document

* Review fixes

* Fail on non-utf8 sig

* Thank goodness for tests

* Run test in ci

* Add rsign2 commands

* Log utf8 error

* Update e2e-tests/signing.sh

Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

* Fix `e2e-tests/signing.sh` MacOS CI failure

Move the tls cert creation into `signing.sh` and sleep for 10s to wait
for https server to start.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Refactor e2e-tests-signing files

 - Use a tempdir generated by `mktemp` for all certificates-related
   files
 - Put other checked-in files into `e2e-tests/signing`

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Fixed `e2e-tests-signing` connection err in MacOS CI

Wait for server to start up by trying to connect to it.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Fix `e2e-tests-signing` passing `-subj` to `openssl` on Windows

Use single quote instead of double quote to avoid automatic expansion
from bash

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Fix `e2e-tests-signing` waiting for server to startup

Remove `timeout` since it is not supported on MacOS.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Try to fix windows CI by setting `MSYS_NO_PATHCONV=1` on `openssl` cmds

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Fixed `e2e-tests-signing` on windows

By using double `//` for the value passed to option `-subj`

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Fixed infinite loop in `signing/wait-for-server` on Windows

Pass `--ssl-revoke-best-effort` to prevent schannel from checking ssl
revocation status.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Add cap on retry attempt in `signing/wait-for-server.sh`

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Let `singing/server.py` print output to stderr

so that we can see the error message there.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Fix running `signing/server.py` on MacOS CI

use `python3` since macos-latest still has python2 installed and
`python` is a symlink to `python2` there.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

---------

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>

e2e-tests/signing/signing-test.exe.nasm

@@ -0,0 +1,74 @@
+; tiny97.asm, copyright Alexander Sotirov
+
+BITS 32
+;
+; MZ header
+; The only two fields that matter are e_magic and e_lfanew
+
+mzhdr:
+    dw "MZ"       ; e_magic
+    dw 0          ; e_cblp UNUSED
+
+; PE signature
+pesig:
+    dd "PE"       ; e_cp, e_crlc UNUSED       ; PE signature
+
+; PE header
+pehdr:
+    dw 0x014C     ; e_cparhdr UNUSED          ; Machine (Intel 386)
+    dw 1          ; e_minalloc UNUSED         ; NumberOfSections
+
+;   dd 0xC3582A6A ; e_maxalloc, e_ss UNUSED   ; TimeDateStamp UNUSED
+
+; Entry point
+start:
+    push byte 42
+    pop eax
+    ret
+
+codesize equ $ - start
+
+    dd 0          ; e_sp, e_csum UNUSED       ; PointerToSymbolTable UNUSED
+    dd 0          ; e_ip, e_cs UNUSED         ; NumberOfSymbols UNUSED
+    dw sections-opthdr ; e_lsarlc UNUSED      ; SizeOfOptionalHeader
+    dw 0x103      ; e_ovno UNUSED             ; Characteristics
+
+; PE optional header
+; The debug directory size at offset 0x94 from here must be 0
+
+filealign equ 4
+sect_align equ 4  ; must be 4 because of e_lfanew
+
+%define round(n, r) (((n+(r-1))/r)*r)
+
+opthdr:
+    dw 0x10B      ; e_res UNUSED              ; Magic (PE32)
+    db 8                                      ; MajorLinkerVersion UNUSED
+    db 0                                      ; MinorLinkerVersion UNUSED
+
+; PE code section
+sections:
+    dd round(codesize, filealign)  ; SizeOfCode UNUSED  ; Name UNUSED
+    dd 0  ; e_oemid, e_oeminfo UNUSED ; SizeOfInitializedData UNUSED
+    dd codesize  ; e_res2 UNUSED  ; SizeOfUninitializedData UNUSED  ; VirtualSize
+    dd start  ; AddressOfEntryPoint  ; VirtualAddress
+    dd codesize  ; BaseOfCode UNUSED  ; SizeOfRawData
+    dd start  ; BaseOfData UNUSED  ; PointerToRawData
+    dd 0x400000  ; ImageBase  ; PointerToRelocations UNUSED
+    dd sect_align ; e_lfanew  ; SectionAlignment  ; PointerToLinenumbers UNUSED
+    dd filealign  ; FileAlignment  ; NumberOfRelocations, NumberOfLinenumbers UNUSED
+    dw 4  ; MajorOperatingSystemVersion UNUSED ; Characteristics UNUSED
+    dw 0  ; MinorOperatingSystemVersion UNUSED
+    dw 0  ; MajorImageVersion UNUSED
+    dw 0  ; MinorImageVersion UNUSED
+    dw 4  ; MajorSubsystemVersion
+    dw 0  ; MinorSubsystemVersion UNUSED
+    dd 0  ; Win32VersionValue UNUSED
+    dd round(hdrsize, sect_align)+round(codesize,sect_align) ; SizeOfImage
+    dd round(hdrsize, filealign)  ; SizeOfHeaders
+    dd 0  ; CheckSum UNUSED
+    db 2  ; Subsystem (Win32 GUI)
+
+hdrsize equ $ - $$
+filesize equ $ - $$
+