Draft: Add initial design for code-signing service

There are lots of explicit to-do points here, and probably also some things I haven't thought about - but it's hopefully enough to allow some useful early feedback.

I've been working on the assumption that we'll want to make an effort to reuse the FTP team's existing code-signing tool rather than reimplementing it, on the grounds that I think it's likely to be more acceptable to the Debian security team if we're reusing as much of this sort of sensitive code as possible; it also seems likely that debusine and dak will be running in parallel for some time and I doubt we want the logic to diverge. However, there are a number of awkward (though not insurmountable) roadblocks, and if we decide that it's easier to reimplement it as part of a small debusine-signing service or similar, then I don't think that should be completely off the table.

Fixes: #272 (closed)