Implement a new Sign-JSON type job for secure signing of SBOM json using an EF PEM/signService

[andrew-m-leonard]

EPIC adoptium/ci-jenkins-pipelines#610 documents the parts required to implement SBOM json signing.
This issue is to implement the necessary temurin-build/ci-jenkins-pipelines parts to interface with an EF provided signing PEM or "json signing service".

[Haroon-Khel]

Work that needs to be done:

https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ has been created to replicate https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_gpg/ but to use the PEM format. The sign_temurin_jsf job needs to be updated to use https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java to sign the SBOM file

Because we dont want the jenkins worker node to build any of the cyclone dx jars, this needs to run in the build scripts during the jdk build,

temurin-build/cyclonedx-lib/build.xml

Line 68 in 62ecfba

<target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-github-package-url, compile-sign-sbom, jar-sign-sbom">

, and then archived, and then pulled onto the jenkins worker node during the sign_temurin_jsf job

[Haroon-Khel]

#4017 ensures the SBOM signing jars get built. adoptium/ci-jenkins-pipelines#1131 kicks off the sign_temurin_jsf job. Work in progress