Support macOS (darwin) amd64 and arm64 builds of Microsoft Go

[dagood]

This issue tracks supporting Microsoft Go toolset builds for macOS on our scripts/infra. A tricky point here is signing. We need to be able to sign the macOS binaries so that when we do publish a macOS build, it's compliant. (Also, I believe only 2/4 of us have access to macOS machines at the moment.)

Note: it's probably better to do this without FIPS compliance support initially. It will be easier to work on that with the basic workflow in place. (#1013)

[dagood]

Signing macOS archives seems pretty nasty. If I'm reading @gdams change and how notarization works correctly, we need three passes:

1. Sign individual binaries from inside the tar.gz and put them back in.
   • I've started changing the bulk of our signing code from MSBuild to Go so that we can ensure the permissions are set correctly on our Windows builder that is running all this. Also so the logic isn't as hostile to maintenance.
2. Sign/notarize the tar.gz, which actually modifies the tar.gz itself.
3. Create a signature for the tar.gz.
   • Arguably not necessary?

We currently have just one pass. We sign individual files in the zip, but we don't create a signature for the zip. For tar.gz files, we only create a signature.

We can use the necessity of having at least two passes as an opportunity to produce signatures for our zip files, simply to keep our artifacts more similar.

[dagood]

Complete, but there is some followup:

Test builder: #1394
Notarization, or determining that we don't need to do it: https://github.com/microsoft/go-lab/issues/147