Support Helm chart provenance and integrity

Helm chart provenance and integrity is used to verify the integrity and origin of a Helm package. See https://helm.sh/docs/topics/provenance/ for details. It uses a provenance record co-located with the package in the repository to do the verification. The provenance record is a PGP signed, sha256 check-sum of the chart stored in a file using the same location and as the chart, but with a .prov extension added.

The current API does not support uploading a provenance file along with the chart package. From https://docs.gitlab.com/ee/api/packages/helm.html#upload-a-chart, we see the following:

curl --request POST \
     --form 'chart=@mychart.tgz' \
     --user <username>:<personal_access_token> \
     "https://gitlab.example.com/api/v4/projects/1/packages/helm/api/stable/charts"

Perhaps adding an optional --provenance=@mychart.tgz.prov option that uploads the corresponding provenance file could be used to specify the provenance file. The provenance file would also need to be deleted when the corresponding package is deleted.