Specify how digital signatures are to be crafted on Type-2

[ssaavedra]

The previous specification does not provide enough information on how to properly construct valid signatures in the AppImage ecosystem.

For interoperability, and using the current implementation as a reference, this changeset specifies how to construct valid signatures for Type-2 AppImages that are compatible with the current toolset.

C.f.: https://github.com/AppImage/AppImageKit/issues/1010

[probonopd]

Thank you very much @ssaavedra. Looks like this adequately describes the current implementation, but are we sure that we want to mandate gpg-style signatures? Should we also allow OpenSSL style signatures? @TheAssassin, all, what do you think?

[shoogle]

Make it simple and allow one type only. "Can your application verify AppImage signatures?" should be a Yes / No question, not "We support some signatures but not others".

[probonopd]

While we are at it, we should probably also document how the signature has to be made and checked (e.g., how the digest works and what has to be skipped). Issue with this is that current implementation differs from what I had in mind (even using an undocumented section), so need to discuss with @TheAssassin what to do.

[ssaavedra]

Is there any reason to prevent this from getting into the draft? I've reviewed the text and modified it a bit with the hope to keep it as unambiguous as possible.

[probonopd]

Hi @ssaavedra. Thank you very much for your contribution.

@TheAssassin and I need to fact-check it. Also, I think the current implementation is more complicated than it needs to be but I don't remember the exact specifics (something about some identifier that had been quietly introduced into the implementation at some time). So it's questionable whether we want to document the current behavior, or whether we want to simplify it first.