fix: ensure kernel is signed with the right key

Before 9.3/8.9 we introduced a change to the signing methodology to support multiple types of keys in a single kernel. i.e., we now support different keys for different artifacts (uki, 64k, etc). This change modifies the upstream spec to pin us to the sigcloud kernel certificate to sign with, and provides information for the sbsigntools macros to process the calls to %pesign properly.

Additionally, we are not building a UKI kernel at this time for SIG/Cloud.