deploy: Install detached signatures if present

[kjbracey]

When installing a kernel, initramfs or device tree, also install a detached signature (.sig) file if present.

Intended to support GRUB GPG signature enforcement.

This does not currently lead to a fully-functional secure solution, due to GRUB's pubkey verifier also checking config files, but it allows the verify_detached command to work, and could be part of a future solution coordinating a lockdown verifier (to determine which file types must be verified) with a relaxed pubkey verifier that does not immediately reject unsigned files.

[openshift-ci]

Hi @kjbracey-arm. Thanks for your PR.

I'm waiting for a ostreedev member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[lucab]

/ok-to-test

[openshift-ci]

@kjbracey: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	984213f	link	true	/test images
ci/prow/fcos-e2e	984213f	link	true	/test fcos-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.