Add macOS code signing to eliminate xattr security workaround

[Copilot]

macOS security restrictions prevent the PyInstaller-built app from launching without running sudo xattr -cr /Applications/AceForge.app. This implements automated code signing in the build workflow to eliminate that workaround.

Implementation

• build/macos/entitlements.plist: Security entitlements for network (Flask server), file I/O, JIT (PyTorch/ML), and unsigned executable memory
• build/macos/codesign.sh: Signs all dylibs, frameworks, and executables, then the bundle itself. Defaults to ad-hoc signing (- identity, no certificate required). Supports Developer ID via MACOS_SIGNING_IDENTITY env var
• build-release.yml: Added signing step after PyInstaller build, before DMG creation

Code signing flow

# Signs libraries and frameworks first
find "$APP_PATH/Contents" -type f \( -name "*.dylib" -o -name "*.so" \)
find "$APP_PATH/Contents/Frameworks" -type f -perm /111

# Then executables
for exe in "$APP_PATH/Contents/MacOS"/*

# Finally the bundle
xcrun codesign --sign "$SIGNING_IDENTITY" --options runtime --entitlements entitlements.plist AceForge.app

Ad-hoc signing requires no Apple Developer account and prevents Gatekeeper from blocking the app. For notarized distribution, set MACOS_SIGNING_IDENTITY secret to a Developer ID certificate.

Adapted from dylanwh/lilguy.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Dev Build Sign</issue_title>
<issue_description>Our OSX is correct, but due to security restrictions only runs if we manually patch it

sudo xattr -cr /Applications/AceForge.app 

This is of course annoying during development.
We found this approach in a rust OSX App repository - let's adapt the following example and variable to our case/build actions, and apply the codesign parts to our .App build as well to see if it resolves our challenge:

#!/bin/bash
# Massive thanks to @dylanwh for the approach
# https://github.com/dylanwh/lilguy/blob/main/macos/build.sh
set -euo pipefail
DOMAIN="io.hotchkiss.web"
EXE="hotchkiss-io"
OUTPUT="target/apple-darwin/release"

rustup target add aarch64-apple-darwin

cargo build --locked --target aarch64-apple-darwin --release

mkdir -p $OUTPUT/Hotchkiss-IO.app
mkdir -p $OUTPUT/Hotchkiss-IO.app/Contents/MacOS
mkdir -p $OUTPUT/Hotchkiss-IO.app/Contents/Resources

cp target/aarch64-apple-darwin/release/$EXE $OUTPUT/Hotchkiss-IO.app/Contents/MacOS/$EXE
sed -e "s;%VERSION%;$VERSION;g" build/macos/Info.plist > $OUTPUT/Hotchkiss-IO.app/Contents/Info.plist
cp build/macos/HotchkissLogox1024.icns $OUTPUT/Hotchkiss-IO.app/Contents/Resources

xcrun codesign \
    --sign "G53N9PU948" \
    --timestamp \
    --options runtime \
    --entitlements build/macos/entitlements.plist \
    $OUTPUT/Hotchkiss-IO.app/Contents/MacOS/$EXE

pkgbuild --root $OUTPUT \
    --identifier "$DOMAIN" \
    --component-plist build/macos/pkgbuild.plist \
    --version "$VERSION" \
    --install-location /Applications \
    --sign "G53N9PU948" \
    target/$EXE.pkg

productbuild \
    --distribution build/macos/Resources/Distribution.xml \
    --resources build/macos/Resources/ --package-path target/ unsigned-$EXE.pkg

productsign --sign "G53N9PU948" unsigned-$EXE.pkg $EXE.pkg

xcrun notarytool submit $EXE.pkg \
    --keychain-profile "AppPwdNotarizID" \
    --wait

xcrun stapler staple $EXE.pkg

mv $EXE.pkg "$EXE-$VERSION.pkg"
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes audiohacking/AceForge#19

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.