New features

• Add commands for managing signing keys.
• Add runtime sign command and move signing out of the build step.
• Implement signing IPC for provisioning scripts.
• Sign runtime images as part of the build pipeline.
• Update signing keys to support hardware TPM2, YubiKey, and ed25519-compact.
• Update PKCS#11 to use SHA256 base16-encoded key IDs.

Improvements

• Always copy extension binaries to runtime build.
• Run SDK compile for external extensions.
• Refactor how external extension configs are merged.
• Add AVOCADO_VERBOSE and AVOCADO_RUNTIME_BUILD_DIR to provisioning scripts environment.
• Add src_dir to utils as a variable.
• Update provision state file extension default to .state.

Bug fixes

• Fix avocado-sign-request response saving.
• Fix provisioning signing race condition.
• Fix permissions on provisioning --out files.