Bundle signing adding time stamp tokens too aggressively

[indygreg]

As found in #95.

Apple's code signing doesn't add time-stamp tokens on CMS signatures for some nested entities when bundle signing.

I'm not sure the rules here. Presence of the TSTs is probably harmless. But we would ideally follow the same rules as Apple.

[indygreg]

On further inspection the root cause of this delta was the reproduce script in #95 adding timestamp tokens to one entity when calling codesign but not the other.

I think our default behavior of adding timestamp tokens when adding CMS signatures is fine.