signing: apple codesign

[Gankra]

This is an issue for codesigning on apple platforms in a way that is officially recognized and respected by macOS (and I guess iOS and friends). In particular it should prevent Apple's Gatekeeper from flagging the software as untrusted.

I believe this amounts to:

• giving Apple 100 bucks
• using Apple's signtool

I think the biggest question is how to get credentials into GitHub Actions SECRETS. In previous discussion this blogpost came up but I'm not sure if it's relevant / still valid.

[mistydemeo]

With #469, we'll also want to be signing the packages. Both pkgbuild and productbuild have flags that let you sign the package at creation time, but I need to confirm whether you need to sign the individual executables before packaging them, or if pkgbuild --sign also signs the files as a side effect.

[mistydemeo]

codesign, the CLI tool, is provided with the OS/Xcode as a standard utility. It's fairly straightforward to use. It requires a certificate and Apple developer membership. The only tricky part, honestly, is just making sure the certs are in the system keychain where it expects to find them. There are third party actions to perform this, but it's likely we can just write the logic ourselves.

We may also want to notarize, which we can perform at the commandline using notarytool.

[mistydemeo]

Implemented in #1361.