We want to turn on signing for dep builds, but these don't need to go through scriptworker or the signing servers. Ideally we'd have a script or set of scripts that can sign in the various formats (signtool? signingscript? another script?), and some non-privileged non-secret keys for dep signing. The keys can be auto-generated, or distributed through taskcluster level-1 secrets or a non-secret-keys-as-a-service service, so signing can happen on Try. We can run signing through this script on docker-worker.

- docker container - secrets service keys - python module with signing logic, factor out of the signing server; then we can share logic - tasks parallel to the current scriptworker build-signing in the graph. tests depend on the dep signing task. we can then build-sign during promotion. - this gives us both task types, so we can test the build-signing on try if wanted - this allows us to dep-sign on push and nightly/release sign on promotion, which defers nightly/release signing, which was a stretch goal we've been talking about for a while.

Not entirely sure if we still want this, or if we'll just be pointing at autograph dep keys.