Add detached signed digest support for ISO boot verification

[Copilot]

This PR implements support for detached signed digests in the ISO boot verification system, enabling Heads to work with standard Linux distribution digest formats while maintaining full backward compatibility.

Problem

Currently, Heads only supports direct ISO signature verification (signing the entire ISO file). However, major Linux distributions commonly use detached signed digests where:

• A digest file contains hash(es) of the ISO file
• The digest file itself is GPG signed
• This approach results in smaller signature files and faster verification

Solution

Enhanced initrd/bin/kexec-iso-init to support multiple detached digest formats:

Supported Formats

1. Standard per-file formats:

• file.iso.sha256 + file.iso.sha256.sig
• file.iso.sha1 + file.iso.sha1.sig
• file.iso.md5 + file.iso.md5.sig

2. Ubuntu/Debian style:

• SHA256SUMS + SHA256SUMS.gpg
• SHA1SUMS + SHA1SUMS.gpg
• MD5SUMS + MD5SUMS.gpg

3. Arch Linux style:

• sha256sums.txt + sha256sums.txt.sig

4. Signature extensions:

• .sig (standard)
• .asc (ASCII armored)
• .gpg (binary GPG signatures)

Implementation Details

The verification process now:

1. Checks for detached digest files first
2. Verifies GPG signature on the digest file using existing distro keys
3. Computes hash of the ISO file
4. Compares computed hash with signed digest
5. Falls back to direct ISO signature verification if no detached digest found

Example Usage

For Ubuntu ISOs:

# Download these files to the same directory:
# - ubuntu-22.04.3-desktop-amd64.iso
# - SHA256SUMS  
# - SHA256SUMS.gpg
# Heads will automatically detect and verify the detached digest

For Arch Linux ISOs:

# Download these files to the same directory:
# - archlinux-2023.11.01-x86_64.iso
# - sha256sums.txt
# - sha256sums.txt.sig  
# Heads will automatically detect and verify the detached digest

Benefits

✅ Smaller signature files - digest files are much smaller than full ISOs
✅ Faster verification - no need to read entire ISO during signature verification
✅ Standard compliance - follows common Linux distribution practices
✅ Backward compatibility - existing signed ISOs continue to work unchanged
✅ Multiple algorithms - supports SHA256, SHA1, and MD5 for flexibility
✅ Secure - maintains same GPG verification using existing distro keys

Security

• GPG signature verification ensures digest file authenticity
• Hash verification ensures ISO file integrity
• Uses existing distro GPG keys from /etc/distro/
• Comprehensive error handling and logging
• Secure fallback to existing direct signature verification

The implementation adds 111 lines of verification logic while maintaining full backward compatibility with existing functionality.

Fixes #28.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.