Without this, we tag the build as made by some random user account on some random host name which is not useful.
(And minor bug in the cache key which has no effect on the build itself.)
This is sort of a proof of concept, but since our current Windows
builder is down this might solve the problem. It includes a change for
easier code signing (taking the certificate in a secret/env var rather
than existing already on disk), but otherwise mirrors precisely what we
already do in the build server.