Sign our macOS bundles on Linux

I've wanted that for a long time and did not find an already open ticket, but we should leverage our hardened Linux box to sign our .dmg files as well, like we do for our .exe files. One part that makes it harder as the macOS signing is content signing while the authenticode signing is not. Another hard part is that there is no such thing as osslsigncode which we could use with (minimal) patching.

Or maybe there is? See: https://github.com/saucelabs/isign. However, there is still (much) work to do, see: https://github.com/saucelabs/isign/issues/88.