Integrate SignPath for automated Windows code signing

[awawa-dev]

Overview

This PR introduces automated digital signing for Windows artifacts using the SignPath OSS Foundation program. This addresses the long-standing issue of "Unknown Publisher" warnings for our Windows users.

Note: This change affects only the Windows build pipeline. Linux and macOS installers remain unaffected and continue to be processed through their existing workflows.

Changes

• Added a dedicated sign-windows job to the CI pipeline, running on Ubuntu for efficiency.
• Integrated SignPath's Trusted Build System (GitHub Action V2) to ensure a secure supply chain.
• Configured dynamic signing policy selection:
  • test-signing: Used for development builds and PRs.
  • release-signing: Reserved for official tagged releases (requires certificate approval).
• Updated the publish job to wait for and use the signed Windows binaries.

Impact on HyperHDR (Windows only)

• Verified Publisher: Once the production certificate is imported, the Windows SmartScreen "Blue Window" and "Unknown Publisher" warnings will be eliminated.
• Security: Guarantees that the Windows .exe installer has not been tampered with after being built in our CI environment.

Part of the transition to the SignPath Foundation program for verified Windows distribution.