Figure out deep signing for Windows toolchain

We should generate a CDF and use `MakeCat` and sign that with `SignTool` to install with the toolchain.  This guarantees that the toolchain is verifiable from modifications after installation.