Fix systemd-boot signing on sealed image test

[gerblesh]

Fixes systemd-boot signing, before the systemd-boot binary was signed on the buildroot but not on the target image, resulting in an unbootable image with secure boot enabled and the proper keys enrolled. This PR fixes it by first signing the systemd-boot on image (assumes it is installed), copying it over to the final image, then computing the digest, and then finally signing and creating the UKI with a different multi stage build. Definitely a little jank and https://github.com/bootc-dev/bootc/issues/1498 does look like a better solution in the long term, however this at least gets the image in a bootable state on secure boot and allows for testing the secure boot in VMs. Would be happy to take a stab at proper image building UX but I'm not sure if that already has work done or if y'all have a particular vision in mind for the build system