Fix UKI example to not touch the content of /usr after the digest has been computed

[travier]

In https://bootc-dev.github.io/bootc/experimental-composefs.html#build-pattern-compute-digest-and-generate-uki-in-one-stage, we remove the kernel & initrd from the image after we've computed its composefs digest:

# Remove raw kernel/initramfs (now embedded in UKI)
RUN rm -f /usr/lib/modules/*/vmlinuz /usr/lib/modules/*/initramfs.img

This likely does not work. We should remove those files before we compute the composefs digest.

What we should be able to do instead is to move the kernel & initramfs out of the rootfs into a distinct directory before we compute the composefs hash and then use them in the UKI build step.

[travier]

The example should also probably use pesign as we switched to that a while ago.

[travier]

Related to: https://gitlab.com/fedora/bootc/docs/-/merge_requests/143 (which I have not fully read yet)

[jeckersb]

Related to: https://gitlab.com/fedora/bootc/docs/-/merge_requests/143 (which I have not fully read yet)

This whole thing is going to get reworked back into the examples to reflect the new sealing workflow and to get it into the CI pipeline for testing. I'll add a note over there but hopefully soon that will just get closed in favor of the reworked version.