Verify Adoptium GPG to PEM conversion is feasible and work for Public key verification

[andrew-m-leonard]

Based on notes: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/3835#note_2682896 Verify ability to convert inflight Adoptium GPG to PEM, and the usecase from a user verifying the SBOM signature, can they create a public PEM from the public Adoptium GPG key?

Related: https://github.com/adoptium/temurin-build/issues/3452

[andrew-m-leonard]

It is only possible to generate an "equivalent" PEM to a GPG key based on exporting the private&public GPG key pair and importing into gpgsm, to then create an equivalent PEM.

This process requires the ability to export the "private" key, and also obviously would not be possible for an end user verifying based purely on a public GPG key.

We would thus need to manually publish an Adoptium "public" PEM key, which goes back to the requirement of obtaining an "official" generated Adoptium PEM key pair from Eclipse.