feat(plugin)!: pass payload digest when generate-signature

[shizhMSFT]

Changes to SIGNATURE_GENERATOR.RAW capability:

• payloadDigest instead of payload is passed in generate-signature.request.
  • Since only the digest of the payload is required, the plugin can fit crypto.Signer, and it simplifies the implementation of notation-core-go.
  • For the concern of the FIPS-compliance of hash implementation, it is not sufficient to delegate the hash computation to the plugin as notation-go still uses golang built-in hash implementation to do signature and certificate validation. For advanced scenarios, it should be considered compiling notation under FIPS-compliant golang or implementing a plugin with SIGNATURE_GENERATOR.ENVELOPE capability.

Signed-off-by: Shiwei Zhang shizh@microsoft.com

[shizhMSFT]

This PR is also for COSE support since the Signer of go-cose accepts digests only.

[priteshbandi]

* Moved `response.certificateChain` from `generate-signature` to `describe-key`.
  
  * It is redundant to return the same certificate chain.
  * Simplifies the implementation of `notation-core-go` where certificate chain can be obtained without generating any signature.

Moving certificateChain from generate-signature to describe-key opens up an edgecase during certification rotation, where describe-key returns old certificateChain and generate-signature signs with new certificateChain

[shizhMSFT]

Moving certificateChain from generate-signature to describe-key opens up an edgecase during certification rotation, where describe-key returns old certificateChain and generate-signature signs with new certificateChain

As discussed in the community call, I will remove this part out to another PR #187 for discussions.

[shizhMSFT]

We can close this PR if veraison/go-cose#101 is merged.