feat: add support for signing OCI image manifests

[SequeI]

Summary

Add --oci-manifest flag to sign and verify commands to treat the input
as an OCI image manifest JSON file (e.g., from skopeo inspect --raw).
This enables signing container images without requiring model files
on disk.

New functions:

• hashing.parse_digest_string(): Parse OCI digest strings
• hashing.create_manifest_from_oci_layers(): Create manifest from OCI layers
• signing.Config.sign_manifest(): Sign a pre-built manifest
• verifying.Config.verify_manifest(): Verify against a pre-built manifest

skopeo inspect --raw docker://quay.io/test/testing:test-model-for-ci > manifest.json
model_signing sign key manifest.json --oci-manifest --private-key key.priv --signature manifest.sig
model_signing verify key manifest.json --oci-manifest --public-key key.pub --signature manifest.sig

Part 1 of supporting OCI model image signing and verifying via ORAS package.

Checklist

• All commits are signed-off, using DCO
• All new code has docstrings and type annotations
• All new code is covered by tests. Aim for at least 90% coverage. CI is configured to highlight lines not covered by tests.
• Public facing changes are paired with documentation changes
• Release note has been added to CHANGELOG.md if needed

[mihaimaruseac]

I'm a little bit wary of this. All model hubs treat the model as the individual set of files, not the files within the container.

I am thinking that a solution that is composable is better, rather than getting into a single-tool-that-supports-all-possible-combinations approach. Sure, model-signing can sign any collection of files, so you could also split this task into extracting the manifest from the OCI image and then just signing that file (and for verification you'd do the same, extract the manifest and compare it against what's hashed in the signature). But, at this point, simple sigstore signing would also work, since this is just one single file. In fact, I think that that would be a better alternative, as then any sigstore tooling can work, rather than having to implement the stack with the model hashing algorithms we're adding here.

I'd propose to discuss this PR in the next model signing SIG meeting, together with the entire plan (as this is just the first part in this work).

I'm also CC'ing @Hayden-IO from the Sigstore community's point of view here.

[Hayden-IO]

I'll echo Mihai's comments - Cosign is hard to maintain because it does so much. What I'd like to see for Sigstore tooling and clients is a core set of SDKs that are building blocks for signing other artifacts. For files/binaries/blobs, a simple tool that wraps an SDK is sufficient (or a light version of Cosign). Tools like Cosign, Gitsign and model-signing know how to canonicalize a more complex artifact into a bytestream to then be signed and verified by an SDK.

I guess the ask is why do we need another implementation of container signing when Cosign already exists?