@spec sign(binary(), binary(), binary(), binary()) ::
  {:ok, binary()} | {:error, term()}

Signs data and produces a DER-encoded PKCS#7 SignedData structure.

• data — the binary content to sign (manifest JSON for Apple Wallet)
• cert_pem — PEM-encoded signer certificate
• key_pem — PEM-encoded private key for the signer
• extra_certs_pem — PEM-encoded additional certificates (e.g., WWDR)

Returns {:ok, der_binary} or {:error, reason}.