Move GPGSigner to intoto

[jku]

I think the plan is as follows (@lukpueh can correct):

• Move GPGSigner from securesystemslib to somewhere under intoto umbrella
• Also add GPGKey in the same place
• intoto can then use the new dispatch mechanisms (from signer: Add abstract Key class, implement private key uri scheme for Signer #456) to support gpg in intoto with just a small amoun of hacks
  • e.g. use (None, None) as the keytype/scheme-tuple
  • handle the special keyid matching

This is done because the gpg key and signature have serialization formats that are not quite compatible with the specifications. The goal is:

• intoto can keep supporting the current key and sig formats for backwards compat
• we can later add more specification compatible GPG support into securesystemslib (but this won't be compatible with the format in intoto)

[lukpueh]

FYI: in-toto is not yet using GPGSigner, but calls securesystemslib.gpg.functions.create_signature directly. Given that python-tuf doesn't use GPGSigner either, and we don't make API promises to anyone else, I suggest we fix the GPGSigner in here to generate a spec-compatible a Signature, and also add a spec-compatible GPGKey here.

There is ongoing work, which uses a GPGSigner to sign DSSE envelopes and traditional in-toto metadata. It would actually be great if that was a spec-compliant one. DSSE is new and does not need to support the current incompatible format, and in-toto might as well create signatures in the new format as long as it can still verify old signatures.
(details in: #370 (comment))