implement support for SCT signature scheme in apkv3
Fulcio is a reference implementation of the SCT signature scheme, which allows for signing keys to be created on demand and retired after signing an artifact.
In our downstream distribution, we presently generate APKv2 files with signatures like .SIGN.FULCIO.[OIDC-identity-hash]
and validate their signatures when including them in our repositories. This works fine because of the APKv2 trust model.
However, APKv3 does not allow us to just "invent" a new signature scheme and use it for our own purposes. Accordingly we would like to add a signature type "fulcio" which stores the SCT signature data, but otherwise uses the APKv2 trust model (for now).
Thoughts?