sign created images after build

[aparcar]

Sign images in a separate container after the images is created. This prevents malicious installed packages to steal private keys with post-install scripts.

[codecov]

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (ebaa542) 86.69% compared to head (506b4c2) 86.50%.

❗ Current head 506b4c2 differs from pull request most recent head 6532a1c. Consider uploading reports for the commit 6532a1c to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #587      +/-   ##
==========================================
- Coverage   86.69%   86.50%   -0.20%     
==========================================
  Files          13       13              
  Lines         932      941       +9     
==========================================
+ Hits          808      814       +6     
- Misses        124      127       +3     

Files	Coverage Δ
asu/common.py	94.73% <100.00%> (ø)
asu/build.py	80.67% <66.66%> (-1.15%)	⬇️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.