Publish warning during validation for non timestamped MSIX packages

[denelon]

Description of the new feature/enhancement

Per @jaifroid

I've been doing some research, and timestamping AppxBundle is not easy. Guess what, SignTool doesn't support doing so! Fiendishly complicated blog post about it here: https://blog.jayway.com/2017/01/16/time-stamping-appx-packages/

Proposed technical implementation details (optional)

If possible, instrument the validation pipeline to provide a warning when MSIX packages have not been timestamp signed. This will help notify publishers when their applications aren't timestamp signed.

Periodic validation should also be instrumented for this check so Issues can be created for existing packages that have not been timestamp signed. These packages should be removed if the certificate has expired and they are not timestamp signed.

[Jaifroid]

Could this please include the older appx and appxbundle formats? These can also be signed with a timestamp (I have verified that this is possible for appxbundles with SignTool).

[denelon]

All the following extensions are considered MSIX (.appx, .appxbundle, .msix, .msixbundle) by the Windows Package Manager.

[Trenly]

@denelon Would this fall under Area-Validation-Pipelines ?