Add byhand script to perform code signing

It takes a tarball of code objects and generates a tarball of
corresponding detached PKCS#7 signatures (with '.sig' suffixes).

It will sign:
- EFI binaries (*.efi, vmlinuz-*) using pesign
- Linux kernel modules (*.ko) using sign-file from linux-kbuild-<version>

Currently it should work with private key files and certificates.  It
may be able to sign kernel modules with a key on a PKCS#11 device.
It definitely can't sign EFI binaries using a PKCS#11 device yet.