Support signed URLs with Google Cloud Application Default Credentials (ADC)

[flokli]

When running nixery on a GCP instance with the default service account / in a cloud run function / GKE, nixery should still be able to emit signed URLs to GCS buckets. It currently has code only doing this if GOOGLE_APPLICATION_CREDENTIALS is set explicitly.

[tazjin]

It should not do this without the feature being explicitly enabled, as the signBlob API unfortunately requires service account impersonation credentials. Useful to have though!