support container image verification via containerd

[ginglis13]

What I'd like:

I'd like for Bottlerocket to support containerd image verification plugins. I'd like the minimum first iteration of this feature to support signed containerd images via Notation CLI and AWS Signer, but I'd like the implementation and settings API to be general enough to extend to other image verification binaries and other signing tools (like cosign)

For the Notation + AWS Signer implementation, I'd like:

• A simple image-verifier binary that wraps the Notation CLI and adheres to the API for containerd image verification plugins
• Package notation and aws-signer-notation-plugin in the core-kit
• In the aws-signer-notation-plugin package, include both commercial and gov cloud root certificates for AWS Signer
• configure image verifiers in containerd via drop-in file

Any alternatives you've considered:

• As mentioned, cosign has been considered as an alternative to notation. The implementation will keep this alternative viable for future implementation.
• Additionally, considered a BYO cert design for the Notation settings API but taking an iterative approach and requesting for initial integration support AWS Signer + ECR.