Embed Apple root and intermediate certificates into quill binary

[wagoodman]

This PR makes the following changes to quill:

• Fails signing if certificate verification fails (which now requires the full chain). Previously verification would be skipped with a warning when the full chain was not found. Now there is an error indicating the chain is missing. This can be turned off with the QUILL_SIGN_FAIL_WITHOUT_FULL_CHAIN env var set to false.
• Embeds all of the root and intermediate certificates found from https://www.apple.com/certificateauthority/ via a go generate step. These certificates are checked into the repo. Note: no automation updates these certificates, they will need to be updated manually and checked in with make update-apple-certs
• Adds new quill embedded-certificates command to enumerate the Apple certificates embedded in the quill binary
• renames the pem package to pki (more accurate, especially with the current additions)
• splits the pki packages into load for loading material from sources and certchain for operating on a cert store or chain.

TODO:

• add test that shows failure with single cert during signing and another test that sets QUILL_SIGN_FAIL_WITHOUT_FULL_CHAIN to false and shows the previous test steps pass.
• refactor the embedded store behind an interface to make testing easier -- add unit tests for pki.FindRemainingChainCerts to show that the embedded lookup works as expected with test-fixture certs.
• update README.md to show that the attach-chain step is no longer necessary (but also show it's necessary for non-apple roots being used)
• maybe rename the quill apple-certs command? [renamed to embedded-certificates]

Closes #8
Closes #16

[kzantow]

LGTM