mkosi: optionally, sign verity data

This adds support for creating signed GPT disk images. If Verity=signed
is set this will not only generate and insert Verity data, but then use
the resulting root hash, sign it and include it in an additional
partition. It will also write the resulting PKCS7 signature out into a
new .roothash.p7s file.

This scheme is compatible with kernel 5.4's PKCS7 signature logic for
dm-verity: the resulting .p7s file can be passed as-is to the kernel (or
systemd's RootHashSignature= setting).

The partition this embedds contains a simple JSON object containing
three fields. The verity root hash, the PKCS7 data (i.e. the same data
as in the .p7s file, but in base64), and SHA256 fingerprint of the
signing key. This partition is supposed to be read by the image
dissection logic of systemd, to implemented signed single-file images.
(The corresponding PR for systemd I am still working on).

This opens up two avenues for image verification:

1. Everything in one file: the single, unified GPT disk image contains
   three partitions, for payload data, verity data and verity signature.

2. Split out: root hash and its signature are stored in two "sidecar"
   files.

(Of course I'd personally always got he "unified" way, but given the
RootHashSignature= logic exists alredy, and it's easy to support, let's
support it.)