Add a feature flag to allow excluding crypto dependencies in lucet-module-data

[shravanrn]

Context
This is part of a series of bugs that I spoke to @tyler @pchickey about. We are currently using Lucet to sandbox libraries in C++ applications. The idea behind this is that using a wasm sandboxed version of the library allows ensuring that a memory safety issue in the library does not automatically result in a memory safety vulnerability in the full application. One of the consumers of this work is the Firefox web browser.

Problem
lucet-module-data provides the ability check the signature of modules prior to loading. However for the library sandboxing case, the libraries are packaged and sent together and thus have their own signing/certificate mechanisms. Thus dependencies like minisign, pbkdf2, subtle etc. are all unused.

In order to simplify the dependency story here, would it make sense to add a feature flag that allows us to exclude the signing functionality? This feature flag would be enable inclusion of signing code by default, but would provide to us the ability to remove the functionality (and dependencies).

Actions
Please let me know your thoughts on this. If this sounds good, please also let me know if this is a change that can happen internally or if it would be better if a work on a patch that can be accepted?

[acfoltzer]

We'd be happy to accept a patch that adds a feature flag, where the flag is on by default. Testing with and without the feature flag will require some extensions to our CI setup, which is currently in flux for other reasons, so for the time being we'd want to be clear that the non-default configurations are not officially supported.

[shravanrn]

Actually, on speaking to Mozilla folk, it looks like we won't be needing this going forward. So closing this issue