investigate and fix cpack tarball reproducibility

[spoonincode]

The AntelopeIO/leap development team wants the tarballs generated by cpack inside the reproducible.Dockerfile to be reproducible so that they can be provided as release assets and signed reliably.

Acceptance Criteria:

1. The tarballs are generated in a reproducible order.
2. Reproducibility is ensured across different filesystems and builds on the same filesystem.
3. The tarballs can be provided as release assets.
4. They can be signed with confidence.

Considerations:

• It may be necessary to submit a patch upstream to address this issue.
• Similar to the tweak-deb.sh process, a post-processing step may be employed to achieve reproducibility.

Additional Information:
The tarballs coming out of cpack inside of reproducible.Dockerfile are not reproducible. It appears cpack adds the files to the archive simply in the order readdir() returns them which isn't stable across different filesystems or potentially even different builds on the same filesystem.

We can almost certainly fix this locally via some sort of post-processing step (similar to tweak-deb.sh). It would be better to try and submit a patch upstream though.

I'd like to provide the tarballs as a release asset in addition to the .deb files. But we need them to be reproducible for us to sign them.