Add signing validation command and notation trust materials (#1984)

Add VerifySignaturesCommand that verifies container image signatures
using the notation CLI. This includes:

- NotationClient wrapper for notation CLI operations
- Notation trust policy files for supplychain and test environments
- Dockerfile changes to install notation and Microsoft Root CA
certificates
- Trust store configuration property for signature verification
- Unit tests for the verification command and notation client

This is part 2/3 of #1376.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.github/instructions/csharp.instructions.md

@@ -23,6 +23,7 @@ For all new C# code:
 - Do not add unused methods/parameters for use cases that were not asked for.
 - Reuse existing methods or services as much as possible.
 - Use composition over inheritance.
+- Use LINQ instead of for loops when working with collections.
 
 ## Error Handling & Edge Cases
 
@@ -50,7 +51,8 @@ For all new C# code:
 
 ## Comments
 
-- Add XML documentation comments for for new **public** or **internal** types and members.
+- Add XML documentation comments for new **public** or **internal** types and members.
+- Primary documentation belongs on interfaces, implementations should use `<inheritdoc/>` unless additional context is needed.
 - Comments that simply restate the member or parameter name do not provide value.
 - Comments should provide additional context or explain non-obvious behavior, especially for parameters.
 - Comments inside methods should explain "why," not "what".

src/Dockerfile.linux

@@ -6,6 +6,14 @@
 FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:9.0-azurelinux3.0 AS build-env
 ARG TARGETARCH
 
+# download root CA certificates for signature verification
+WORKDIR /
+RUN mkdir -p notation-trust/certs/test notation-trust/certs/supplychain \
+    && curl -fSL --output notation-trust/certs/test/root-ca.crt \
+       "https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Testing%20Root%20Certificate%20Authority%202019.crt" \
+    && curl -fSL --output notation-trust/certs/supplychain/root-ca.crt \
+       "https://www.microsoft.com/pkiops/certs/Microsoft%20Supply%20Chain%20RSA%20Root%20CA%202022.crt"
+
 WORKDIR /image-builder
 
 # restore packages before copying entire source - provides optimizations when rebuilding
@@ -30,9 +38,14 @@ RUN tdnf install -y \
       docker-cli \
       git \
       moby-engine \
+      notation \
       oras \
     && tdnf clean all
 
+# install notation trust materials (root CA certs + trust policies)
+COPY --from=build-env ["/notation-trust/", "/notation-trust/"]
+COPY ["notation-trust/policies/", "/notation-trust/policies/"]
+
 # install image-builder
 WORKDIR /image-builder
 COPY --from=build-env /image-builder/out ./