Currently the package validation happens in two different moments in the onboarding flow. A certificate validation happens in the controller OrchestrationTemplateCandidateImpl and a later one happens at the package Handlers OrchestrationTemplateZipHandler or OrchestrationTemplateCSARHandler depending on the package type.

The certificate verification should only happen for the signed csar package, a zip that comes with a signature with certificate / signature + certificate and csar package. So this should be done on that package Handler, not for every package.

This is a change to accommodate better the other security validations that are needed for signing individual package artifacts. Also to provide the handlers all the necessary information about the onboarded package for validation.