Making gpgme dependency optional

[Jussi Laako <jussi laako linux intel com>]

Hi,

We would be interested to hear if there are any change plans regarding 
gpgme dependency? At the moment gpgme pulls in GPLv3 software and also 
causes some performance issues when used with bigger distribution builds.

To approach these challenges, I've been thinking about adding 
alternative, build time configure option to support PKCS#7 signatures 
and X.509 keys. This could be implemented using GnuTLS library which has 
support for both PKCS#7 and of course X.509 keys/PKCS#12 (certificates).

GnuTLS has also some amount of support for OpenPGP keys in addition to 
PKCS#11 and TPM keys. So this could allow also some expansion towards 
other key types, which I need to study more.

Based on reading of the ostree sources, this doesn't seem like too 
intrusive or big change and could be introduced as optional feature 
through configure option. After thinking about various alternatives, 
this seemed like clean way to address those two concerns.

Before starting to work on the code, I would like to hear your opinion 
and feedback on these thoughts and whether such could be acceptable for 
inclusion in ostree?


Best regards,

        - Jussi Laako