Sign and harden pkgs (#114027)

* Sign and harden pkgs

* Fix missing closing quote in MacOSPkg element

* Add singlefilehost to MacOS signing list

* Add new executables to MacOS signing list

* Add 'Mono' to MacOS signing list

* Remove inadvertently added lines

---------

Co-authored-by: Alexander Köplinger <alex.koeplinger@outlook.com>

Author: mmitche

eng/Signing.props

@@ -43,8 +43,12 @@
     <FileSignInfo Include="mscordaccore.dll" CertificateName="None" />
     <FileSignInfo Include="mscordbi.dll" CertificateName="None" />
 
-    <!-- On MacOS, we need to sign a number of our executables with the Mac developer cert with hardening enabled. -->
-    <FileSignInfo Condition="'$(TargetsOSX)' == 'true'" Include="dotnet;apphost;corerun;createdump" CertificateName="MacDeveloperHarden" />
+    <!-- On MacOS, we need to sign a number of our executables with the Mac developer cert with hardening enabled.
+         Avoid doing this on Linux, which has the same executable names -->
+    <FileSignInfo Condition="'$(TargetsOSX)' == 'true'" Include="dotnet;apphost;corerun;createdump;singlefilehost;crossgen2;ilasm;ilc;ildasm;llc;mono-aot-cross;opt;Mono" CertificateName="MacDeveloperHarden" />
+    <!-- Additionally, we need to notarize any .pkg files -->
+    <MacOSPkg Include="$(ArtifactsPackagesDir)**/dotnet-runtime*.pkg" Exclude="$(ArtifactsPackagesDir)**/dotnet-runtime-internal*.pkg" />
+    <FileSignInfo Include="@(MacOSPkg->'%(Filename)%(Extension)')" CertificateName="MacDeveloperWithNotarization" />
 
     <!-- We don't need to code sign .js files because they are not used in Windows Script Host. -->
     <!-- WARNING: Needs to happed outside of any target -->