Signing resource manifests

[SteveL-MSFT]

Summary of the new feature / enhancement

Need a way to sign a resource manifest to ensure it hasn't been tampered. The manifest should include a hash of the executable or the thumbprint of it's signature otherwise the resource manifest is trusted, but uses a bogus executable.

Proposed technical implementation details (optional)

No response

[michaeltlombardi]

Also worth noting that we should consider as at least related SBOMs. If I care about the manifest being signed, I also probably care about the SBOM for a resource.

Relatedly, I discovered the GitHub uses cosign for artifact and sbom attestations - and that the rust library for cosign/sigstore is under active development. This could make for an easier path towards having a built-in model for this domain when we approach signed resources, especially in consideration with publishing them to an OCI Registry (see #92).