OpenPGP signing via YubiHSM

As part of https://gitlab.com/freexian/organization/okr/-/issues/10, we need to make it possible to secure all of Debusine's OpenPGP keys using a hardware token. We already support using a YubiHSM for OpenSSL-based signing methods, but not yet for OpenPGP.

Unlike with YubiKeys, this isn't very well documented. There are at least some existing approaches around, with varying levels of support:

https://github.com/alonbl/gnupg-pkcs11-scd
https://github.com/csssuf/yubihsm-pgp-sign
https://gitlab.archlinux.org/wiktor/yubihsm-pgp
https://crates.io/crates/openpgp-pkcs11-tools

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information