Make tool to compare signed and unsigned dmg

Since macos code signing is modifying binary files to embed code signatures, it is not easy to check that the dmg from our reproducible build and the signed dmg we publish are the same apart from the signatures.

I think we could make a tool to compare a signed and unsigned dmg.

It seems there is a codesign --remove-signature command that can be used on macos to remove signatures. I don't know if the same can be done on linux.

Maybe rcodesign compute-code-hashes can also help for that.