[tracking] send shas to be signed, not the whole file

[escapewindow]

Currently, we send whole files over to the signing servers and autograph, which then sign the files and either return a signed file or a detached signature, depending on signing format. Aiui, these signatures involve signing the hash of the file, not the entirety of the file's contents.

A network and server optimization could therefore involve sending only the hash of the file to sign, rather than the entirety of the contents. That means we need to:

• calculate the hashes on the signingscript side
• send the hashes to the signing server or autograph
• the signing server or autograph need to be able to handle signing just the hash, and return the signature
  • we optionally want to verify this request; we have plans to do so for mar signing
• signingscript needs to be able to insert the signature into the signed file (not applicable to detached signatures, but needed otherwise).

We should have similar amount of computations being done, but we'll move them off the servers and onto the workers. We'll also drastically reduce the network bandwidth usage.

[escapewindow]

https://github.com/mozilla-releng/signingscript/pull/69 covers mar signing.