Right now there are two code paths for signing using a keyfile:

1) Full & delay signing implemented using a strong-name provider, which
   calls into the CLR when necessary to do signing.
2) Public signing, which extracts the key directly from the file and
   embeds it manually into the assembly using only portable code.

The tricky part is that (1) also implements a bunch of legacy semantics
on how to resolve the key file from various search paths, since the key
file can also be specified via an attribute.

This behavior is already deprecated, so rather than implement the
complicated file resolution for public sign as well, this PR changes the
command line compilers to always produce an absolute path for the key
file before passing it to CompilationOptions. CreateCompilation now also
has a check to enforce that CryptoKeyFile is an absolute path when
PublicSign is set.

Fixes #8360.