Make signing_cert optional for most of the signing process

[MatthiasValvekens]

Description of the changes

This is an internal plumbing change that makes the signature preparation process less reliant on the signing_cert attribute in the Signer hierarchy. In other words, provided you're willing to go without some conveniences, you can now prepare documents for signing without having access to the signer's certificate ahead of time. This is mostly relevant for the interrupted signing workflow, more specifically in scenarios involving remote signing services that supply CMS objects containing short-lived certificates that are generated on-the-fly after the request is submitted.

This has come up often in the past, with issues going back as far as #3, but also #31, #90 and #103.

Caveats

Some of the things that pyHanko usually does automatically will no longer work in the absence of a signer's certificate. These include the following:

• default digest algorithm selection,
• signature container size estimation,
• certificate constraint enforcement,
• pre-signing revocation information collection.

Also note that, in practice, you still need a signer's certificate to assemble a working CMS SignedData container. As such, built-in signers like SimpleSigner and PKCS11Signer will keep the signing_cert requirement. ExternalSigner, which is largely a dummy implementation for use with the interrupted signing workflow, does accept None for the signer's certificate.

Checklist

Please go over this checklist to increase the chances of your PR being worked on in a timely manner. Deviations are allowed with proper justification (see previous section).

• I have read the project's CoC and contribution guidelines.
• I understand and agree to the terms in the Developer Certificate of Origin as applied to this contribution.
• All new code in this PR has full test coverage.

For new features (delete if not applicable)

• I have discussed the implementation of this feature with the project maintainer(s) on the discussion forum or over email.
• I have verified that my changes do not break existing API or CLI functionality, or ensured that all breaking changes are clearly documented in this PR.
• All public API functionality in this PR is documented.

[codecov-commenter]

Codecov Report

Merging #141 (2cd7a90) into master (a68bc84) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master     #141   +/-   ##
=======================================
  Coverage   98.69%   98.70%           
=======================================
  Files          75       75           
  Lines       11211    11232   +21     
=======================================
+ Hits        11065    11086   +21     
  Misses        146      146           

Flag	Coverage Δ
unittests	98.70% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pyhanko/sign/signers/cms_embedder.py	100.00% <100.00%> (ø)
pyhanko/sign/signers/pdf_cms.py	100.00% <100.00%> (ø)
pyhanko/sign/signers/pdf_signer.py	100.00% <100.00%> (ø)
pyhanko/pdf_utils/font/basic.py	100.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.