Add support for signing u-boot FIT images

[lnussel]

u-boot's native format to load images that consist of several components is FIT (https://fitspec.osfw.foundation/). It's also possible to sign them to allow for verified boot. That is documented here: https://docs.u-boot.org/en/stable/usage/fit/index.html. Esp https://docs.u-boot.org/en/stable/usage/fit/signature.html

The mkimage tool can be used to add signatures to fit images. Either on build time or afterwards. The slightly weird part is that mkimage produces a dtb file with the key parameters used for signing. This file is then supposed to be compiled into u-boot (or baked into the hardware). So in context of OBS a feature would be needed similar to needssslcertforbuild to provide the key information as dtb. For the actual signing I guess a mechanism similar to pesign-obs-integration would be needed.

Here's an example image build that uses mkimage (without signing) to produce fit images:
https://build.opensuse.org/package/show/home:lnussel:debbuild/image-qemu

[mlschroe]

But isn't needsssclcertforbuild enough? You can then extract the pubkey data from the cert and put it into the FDT. I don't think this needs any work in obs-sign.