chore(build): sign all artifacts COMPASS-7549

[mabaasit]

In this PR, we are signing all the remaining compass artifacts - for windows, macos (zip only) and rhel. Steps to verify a files are similar to the one in #5334.
For windows .exe and .msi, the files should have a digital signature, chrome (when downloading) and os (when installing) should not complain.

Description

Checklist

• New tests and/or benchmarks are included
• Documentation is changed or added
• I have signed the MongoDB Contributor License Agreement (https://www.mongodb.com/legal/contributor-agreement)

Motivation and Context

• Bugfix
• New feature
• Dependency update
• Misc

Open Questions

Dependents

Types of changes

• Backport Needed
• Patch (non-breaking change which fixes an issue)
• Minor (non-breaking change which adds functionality)
• Major (fix or feature that would cause existing functionality to change)

[himanshusinghs]

Amazing work 🚀

[mcasimir]

Looks great! I left 2 comments that may be worth looking at if you have some time, totally good for a followup since this one is green and we could merge.

[mcasimir]

We have similar branching based on build variants in mongosh, and personally i find it hard to digest and maintain, it creates obscure dependencies between the CI and the code that may not be immediately clear, and relies on assumptions about the variants that may not stand true over time.

Could we do something different / more intentional to detect where to use ssh and where to use docker? For example, we could directly set this as a variable / expansion in CI: https://docs.devprod.prod.corp.mongodb.com/evergreen/Project-Configuration/Project-Configuration-Files#build-variants

name: ubuntu
expansions:
    garasign_client_type: "remote"

Also, as a more radical thought, since it seems that we have docker only on ubuntu, is there a downside to always sign with SSH?

[mabaasit]

ended up using remote signing client across. this makes our CI cleaner and similar across all build variants