Add cherry-pickable shim for hsm signing

[tresf]

REOPENING AGAIN

Our build infrastructure uses a private-key that doesn't meet the latest minimum cryptography standards for code signing. This PR offers a patch which can be cherry-picked atop v2.1.1...v2.2.4 to build older versions using a newer HSM method (currently tailored for AWS KMS).

To keep this PR as simple as possible, it will always be force-pushed so that all changes exist in a single cherry-pickable commit.

# Old private.properties
signing.alias=
signing.tsaurl=
signing.keypass=
signing.storepass=
signing.keystore=

# New private.properties
hsm.storetype=
hsm.keystore=
hsm.alias=
hsm.storepass=
hsm.certfile=
hsm.tsaurl=
hsm.algorithm=

To apply to an older tagged release:

1. Comment out signing.tsaurl in private.properties
2. Add hsm.xxx signing property values above per Sign with AWS KMS ebourg/jsign#157
3. Compile and sign

   git reset --hard v2.1.1
   git cherry-pick commit_hash_from_this_pr
   ant nsis

Disadvantage:

• One slight disadvantage is that this will sign the files twice (once using self-signing and then again using the HSM). This behavior will be patched for 2.2.5.