impr: httpsig duplicate component handling on commit/verify

[charmful0x]

About

addressing the hanging TODO comment in the src/dev_codec_httpsig.erl module regarding RFC 9421 section 2.5 wrt enforcing a MUST:

If the component identifier (including its parameters) has already been added to the signature base, produce an error.

the change rejects duplicate entries in committed during signature base creation in normalize_for_encoding/3 (used by both sign + verify) using a non-perf affecting check (ulist then strict equal size check).

i added the duplicate_signature_component_test() and duplicate_signature_component_verify_test() tests, all mod eunit tests pass:

======================== EUnit ========================
module 'dev_codec_httpsig'
  dev_codec_httpsig: validate_large_message_from_http_test...[5.718 s] ok
  dev_codec_httpsig: committed_id_test...[0.024 s] ok
  dev_codec_httpsig: commit_secret_key_test...[0.001 s] ok
  dev_codec_httpsig: multicommitted_id_test...[3.623 s] ok
  dev_codec_httpsig: sign_and_verify_link_test...[0.015 s] ok
  dev_codec_httpsig: duplicate_signature_component_test...ok
  dev_codec_httpsig: duplicate_signature_component_verify_test...ok
  [done in 9.402 s]
=======================================================
  All 7 tests passed.

my git commits are signed