Add support for homonymous entities

[baarde]

Your keychain may contain homonymous entities (many certificates with the same subject name) when you request a new certificate from Apple without deleting the previous one (because you don't want to regenerate all your provisioning profiles right now).

This commit allows to distinguish between homonymous entities by using the SHA-1 (which codesign accepts as an identity) of the certificate instead of its subject name. If you provide a SHA-1, it will be accepted. If you provide a subject name (like normal people do), it will be automatically substituted with the SHA-1 of the first matching certificate during the validation of the parameter.

Moreover, when displaying the list of available identities, homonymous certificates are grouped together and their SHA-1 are also displayed.

Before:

$ sigh resign GLaDOS.ipa
[18:51:24]: Available identities: 
    iPhone Distribution: Aperture Science (5EG96SA3GS)
    iPhone Distribution: Aperture Science (5EG96SA3GS)
    iPhone Developer: Cave Johnson (9EKSC7UTQC)
    iPhone Developer: Caroline (VA8D49WR55)

Signing Identity: 

After

$ sigh resign GLaDOS.ipa
[18:51:53]: Available identities: 
    iPhone Distribution: Aperture Science (5EG96SA3GS)
        1C68EA370B40C06FCAF7F26C8B1DBA9D9CAF5DEA
        035C2E0EE5B26D228AA7886CA5955C3B20B46782
    iPhone Developer: Cave Johnson (9EKSC7UTQC)
    iPhone Developer: Caroline (VA8D49WR55)

Signing Identity: 

[baarde]

Due to the expiration of WWDR Intermediate Certificate, signing identities may be incorrectly reported as invalid by the security tool, thus preventing the user from resigning the IPA without renewing the certificate.

While renewing the certificate is required for App Store submissions, in-house apps continue to work. Moreover, because renewing the certificate may require to revoke existing certificates, that renewal may not be possible in some cases (which is why this patch was written).

In order to remedy that issue, 2f030df0c6e782774cebd179624efe1542966fb5 provides the following changes:

• We retrieve all signing identities.
• Valid and expired (we cannot distinguish between expired certificate and expired CA) identities are kept. Other identities are discarded.
• Valid identities take precedence over expired ones when searching for a certificate subject name (Working workflows should continue to work).
• Expired identities are listed in white.
• A warning is printed when the user select an expired identity.

In an ideal world, the signing identity would be extracted from the provisioning profile instead of asking the user. I may work on that in the more or less distant future. In the meantime, this patch should do the job.

[asfalcone]

@baarde Sorry for the delay on the review! This is looking great but I left a few comments that need your attention before this can be merged. Thanks 🌷

[asfalcone]

@baarde Hey just wanted to ping again on this issue. We're moving to the monorepo very soon and aren't able to migrate open PRs there. If you're able to address those comments above I'd love to merge your PR today!

[asfalcone]

@baarde Sorry to have to do this, but we're going to be starting work towards the monorepo shortly, so I need to close this PR for now. When the migration is complete, you can submit another PR with the same functionality and I'd be happy to review it there!

[baarde]

I'll do that. I need to find something better than .black and .white (which appears light gray). You're right: that doesn't look nice on terminals that don't use black as foreground color.