Create Example app

[jku]

We should have example code and maybe a high level user manual in addition to the API reference.

I would suggest starting with an example app:

• as minimal and easy to understand signer/verifier CLI as possible (maybe a single app or two)
• should use Signer API best practices
• I suggest supporting file based keys first (while making it clear it's a demo: we do not recommend ever storing private keys on disk). This means that this issue is likely blocked by signer: Improved the "file-based signer" #617
• it would be cool to be able to demo other keytypes as well (like a yubikey) but since most people don't have one that should be optional

Things I'd like to showcase:

• choosing the right signing key with private key uri
• verifying the signature

TODO:

• expand on the above

References

• https://theupdateframework.github.io/python-tuf/2023/01/24/securesystemslib-signer-api.html
• Add replacement API for '*keys' and 'interface' key generation and import  #604

[jku]

securesystemslib example app

Rough sketch:

example uses two working directories

• private/ -- this is where signing config is stored (and private key material for file keys)
• public/ -- this is where signatures and public keys are "published" (this is the equivalent of TUF repository)

example contains 2 separate apps, one has two commands:

• signer add-key -- adds a new signing key
  • default is file based, --hsm uses a yubikey
  • publishes the new public key in public/<keyid>.json
  • stores signer uri in private/signers (and the private key content for file based keys in private/<keyid>.pem)
• signer sign -- sign with all current keys
  • loops through list of signer uris in private/signers.json, signs predefined content with each
  • publishes the signatures in public/signatures.json
• verify -- verify with all current public keys
  • loops through public/<keyid>.json, verifies the predefined content with each key

app state can be cleared by deleting private/ and public/