We want to turn on signing for dep builds, but these don't need to go through scriptworker or the signing servers. Ideally we'd have a script or set of scripts that can sign in the various formats (signtool? signingscript? another script?), and some non-privileged non-secret keys for dep signing. The keys can be auto-generated, or distributed through taskcluster level-1 secrets or a non-secret-keys-as-a-service service, so signing can happen on Try. We can run signing through this script on docker-worker.