This adds support for OpenPGP signatures containing provenance data.
Such information can be used to verify the integrity of a Chart by
testing that its file hash, metadata, and images are correct.
This first PR does not contain all of the tooling necessary for
end-to-end chart integrity. It contains just the library.
See #983
