Verify pending artifacts using compos.info

Rather than a signature file per artifact file, we now expect a single
file + signature giving the path & root digest of all artifacts from
CompOS - reusing the OdsignInfo format.

There's a lot of now-dead code that can be removed; I'll do that in a
follow-up CL (and remove the remaining test tool client).

Bug: 209572241
Test: Run compos_key_cmd sign-info, check signatures accepted
Test: Check artifacts already in fs-verity and not
Test: Check various failure cases correctly rejected
Change-Id: Iaa85d8b28abfedb9d99985d6e87980881f470354
3 files changed