Create a new MAR signing key and bake it into Tor Browser

We want to deprecate the MAR signing key mostly used for signing our MAR files so far and embed a new one instead. This is the begin of a yearly-ish procedure as there is no good way of revoking a MAR signing key.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information