Consider only attempting signing if shouldSign is explicity true or auto in EsrpSign.yml

By assuming shouldSign is false unless explicitly auto or true, will help prevent accidentally signing binaries unless the user explicitly wanted them signed. I would also consider setting the shouldSign parameter to false as default, but that would be a bigger breaking change.