Sign `gh.exe` binaries in addition to signing the MSI installer

[mislav]

This would help identify Windows binaries that were officially packaged by us vs. ones that might have been modified/corrupted. Right now, we only do signing with the MSI installer.

Ref. #2064
Followup to #148

[mbpreble]

Hoping to have a draft PR up for this within a few days. I think there's a path to signing the Windows binaries in a post-build hook. Mono's signcode util is available in ubuntu (need 20.04 or a manual update of Mono for the ability to sign with sha256).