Add BYO keys

[loosebazooka]

Allow users to specify their own keys and skip fulcio.

[hboutemy]

@loosebazooka is it still a valid use case?

[bmarwell]

Yes! ;)

[bmarwell]

@hboutemy here's the use case

Local / company repository.

1. You want to sign the jar/pom just for the sake of signing it and then throw away the private (and even public) key
2. You want to sign the jar/pom and then upload the key to a company-private keyserver
3. roll your own fulcio instance and upload everything there

In any case, neither the key material nor the artifact metadata should leave the private network.

Instead of "BYO key", maybe "generate a throw-away-key locally" might be a valid description

[loosebazooka]

I think technically the Java client can support this? It's not clear if that's something that all the clients want to support right now. @bobcallaway @haydentherapper

As for the private use case. That can be handled by injecting references to the private infra into the current signer. Again, not something that is exactly straightforward right now, but we can support it. I think #158 is trying to solve that

[bobcallaway]

cosign supports BYOK and/or integration with KMS providers, so I think its reasonable for the other SDKs to do the same.

[haydentherapper]

Bring your own key is reasonable for those who already have experience managing PKIs or keys. I would require publishing the signing event to rekor still so you get the benefit of transparency (again something cosign supports which can be turned off with an insecure flag)