Add macOS code signing and notarization support for all binary workflows

[Copilot]

This PR implements comprehensive macOS code signing and notarization for all binaries built in this repository, addressing the security requirements for macOS distribution.

What Changed

• Created reusable workflow .github/workflows/macos-sign-notarize.yml that handles the complete signing and notarization process
• Updated all 6 language workflows (Swift, Golang, Rust, C, C++, .NET) to include macOS signing jobs
• Added comprehensive documentation in docs/MACOS_SIGNING.md covering setup and troubleshooting

Key Features

Graceful Degradation: The implementation works seamlessly whether or not Apple Developer secrets are configured. This ensures:

• Forks and development environments continue to work without certificates
• Production builds automatically get signed when secrets are available
• Clear logging indicates when signing is skipped vs. when it succeeds

Complete Signing Process:

1. Import Apple Developer certificates
2. Sign binaries with "Developer ID Application" certificate and runtime hardening
3. Submit to Apple for automated notarization
4. Staple notarization tickets to binaries for offline verification

Comprehensive Coverage: All languages that build macOS binaries are now supported:

• Swift: Universal binaries (Intel + ARM)
• Golang: Separate Intel and ARM binaries
• Rust: Intel binaries
• C: Both Intel and ARM binaries
• C++: Both Intel and ARM binaries
• .NET: Both osx-x64 and osx-arm64 binaries

Required Repository Secrets

For repository maintainers to enable signing, these secrets need to be configured:

• APPLE_CERTIFICATE: Base64 encoded .p12 certificate
• APPLE_CERTIFICATE_PASSWORD: Certificate password
• APPLE_DEVELOPER_ID: Apple ID email
• APPLE_APP_PASSWORD: App-specific password
• APPLE_TEAM_ID: Apple Developer Team ID

Usage

The signing process runs automatically after each macOS build job completes. Signed binaries are uploaded as artifacts with a -signed suffix. When secrets are not available, workflows continue normally with informational messages.

Fixes #36.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/Apple-Actions/import-codesign-certs
  • Triggering command: curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.