Found myself setting this up today and recalled this thread. In the current version of Postman this is easily handed via a pre-request script. Here's what mine looks like in case its helpful, just be sure to replace the api_key with the actual value attached to the user sending the request and to exclude the "sign" param from the list in the params tab, or else it will be added twice.
const api_key = "apikey1234replacethis"
let querystring = pm.request.url.query.toString()
let sign = CryptoJS.SHA256(api_key+querystring).toString()
pm.request.url.query.add({key: 'sign', value: sign})
Dan