Notarization through the Notary API

[roblabla]

This MR adds notarization through the Notary API.

Fixes #591

Currently, this is only implemented for code bundle signing. I need to implement pkg and dmg signing next, and do a lot of code cleanup.

This API is quite a bit faster than the old method. My code gets notarized in around 20 seconds with this API, whereas it took around a minute with the old Transporter API.

---

Note that I'm also having a very messy dependency hell issue. PyOxidizer depends on pgp, that fell in the pitfall of using non-standard dependency version requirements on zeroize... This means that it is currently impossible to use pgp and aws-sdk-s3 in the same dependency graph. I have reported the problem to pgp, and have a patch to fix the issue.

Hopefully pgp will release a new version to fix this issue.

[indygreg]

Thank you for submitting this!

Regarding the dependency hell issue, yes, this is something I've run into as well. pgp is using some old crate versions and is holding back upgrading a lot of dependencies in apple-codesign as well as other crates in this repo. It is super annoying. https://github.com/rpgp/rpgp/pull/165 should hopefully fix most issues. Although I wasn't aware of that non-standard pinning of the zeroize crate. Maybe your PR will be sufficient to unlock progress, as the zeroize crate is the one that breaks most frequently when I try to modernize crypto dependencies in this repo.

[roblabla]

Alright so I should have gotten PKG and DMG in. I still need to actually test it works (only bundle was tested for now), and assuming it all works, make the commit history a bit nicer :^).

Another thing I'd like to improve is getting richer error information by extracting it from the submission logs. There's a lot of really useful information in there, but right now it's printed as an ugly json blob. I want to add some method to pretty print it.

[indygreg]

Looks like your zeroize PR merged in the rpgp repo! Hopefully that means a release is near. If not, I'm not opposed to throwing up a fork on crates.io as a workaround: I'm tired of working around dependency hell resulting from that crate.

[roblabla]

rpgp 0.8 just got released :tada:

[indygreg]

I was having my own go at upgrading dependencies and it looks like yubikey depending on rsa 0.5 is going to be a hurdle. I filed https://github.com/iqlusioninc/yubikey.rs/issues/393 to request a release.

[roblabla]

Yeah, I ran into yubikey-rs problems, and also rpm-rs problems. See https://github.com/roblabla/rpm-rs/tree/update-packages

[indygreg]

I haven't forgotten about this PR. I wanted to get the dependency upgrades merged first because they are a pain to update. As I was doing that, I discovered a dependency hell due to the yubikey-rs crate and wanted to get that resolved. It is kind of in limbo at the moment. I'll try to find time to take a look at this over the weekend.

[indygreg]

As you can see, I pushed this. I also did a bit of refactoring after the push, mostly to clean up the UI around notarization.

The one part of your PR I did not preserve is the structs for parsing the log JSON. We don't need that yet, as we just print the JSON instead.

I did add your GitHub username and reported full name from your GitHub profile to the changelog. And I plan to say something similar in an upcoming blog post about the pending 0.17 release. If you would like me to withhold your username or full name or identify you some other way, just let me know and I'll respect your wishes. I'll likely publish 0.17 on Sunday and the blog post on Monday morning California time.

Thanks again for this amazing contribution!