Add support for signing with Tink keyset

[haydentherapper]

This allows deployers to securely sign in-memory while mitigating key exfiltration, since the key is encrypted at rest and loaded into memory at server startup.

Requires providing a path to an encrypted Tink keyset and the Key Encryption Key, a KMS URI for decrypting the keyset.

Heavily pulls from Fulcio's Tink implementation.

Summary

Release Note

Documentation

[codecov]

Codecov Report

Attention: Patch coverage is 48.21429% with 58 lines in your changes missing coverage. Please review.

Project coverage is 51.40%. Comparing base (488eb97) to head (2a76412).
Report is 192 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/signer/tink/tink.go	55.07%	21 Missing and 10 partials ⚠️
pkg/signer/tink.go	24.24%	23 Missing and 2 partials ⚠️
pkg/signer/signer.go	33.33%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2228       +/-   ##
===========================================
- Coverage   66.46%   51.40%   -15.06%     
===========================================
  Files          92      192      +100     
  Lines        9258    19590    +10332     
===========================================
+ Hits         6153    10071     +3918     
- Misses       2359     8429     +6070     
- Partials      746     1090      +344     

Flag	Coverage Δ
e2etests	49.55% <7.14%> (+1.99%)	⬆️
unittests	43.02% <44.64%> (-4.67%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cpanato]

thanks
lgtm