scripts: imgtool: added fixed signature script option

[DaBs]

This PR adds the option of passing fix-sig-script as an external script to be called for signature generation, to then let the process continue as if it had generated the signature itself.

The current flow

To use a public key and an external signature provider, you'd have to:

1. Run imgtool with --vector-to-sign to save the vector
2. Fetch public key corresponding to signature generation
3. Call external script with the vector to sign, save or otherwise pass signature
4. Run imgtool again, this time providing it with --fix-sig and --fix-sig-pubkey
5. Have signed image

New possible flow with proposed changes

1. Fetch public key corresponding to signature generation
2. Run imgtool with --fix-sig-script and --fix-sig-pubkey matching
3. Have signed image

Codebases or other downstream dependencies that rely on baking in calls to imgtool and mainly having a singular call in the normal path, but otherwise taking in all imgtool options now gets to keep that, and simply provide the script as an extra option, but not needing a different flow from e.g. a debug build.

This lets the difference between e.g. a debug and a release build be entirely managed in the signature script, and so lets the same pipeline be used opaquely while still generating different builds signed with different keys depending on e.g. the environment it is run in.

[DaBs]

@nordicjm @gchwier Any thoughts or inputs to this PR? We're specifically using this internally with good success and a subsequent patch to the b0_mcuboot_signing.cmake