Fix macOS CLI binary SIGKILL (Code Signature Invalid)

[citadelgrad]

Fixes #452

Summary

The CLI binary (openfang) is immediately killed on macOS Apple Silicon with SIGKILL (Code Signature Invalid) / Taskgated Invalid Signature. Two compounding issues in the release pipeline:

1. release.yml: The CLI binary is signed with codesign --force --sign - (ad-hoc) in CI. Ad-hoc signatures are machine-specific and invalid when transferred to another Mac. Meanwhile, the Tauri desktop app is properly signed with a Developer ID certificate + notarized.

2. install.sh: The install script tries to re-sign locally but silences ALL errors (2>/dev/null || true). It also doesn't strip extended attributes first (com.apple.provenance), which causes codesign to produce an invalid result on newer macOS versions.

Changes

scripts/install.sh

• Strip quarantine/provenance extended attributes (xattr -cr) before codesigning
• Surface codesign errors instead of silencing them, with a manual fallback message

.github/workflows/release.yml

• Replace ad-hoc signing with Developer ID certificate signing for the CLI binary
• Reuses the same MAC_CERT_BASE64 / MAC_CERT_PASSWORD secrets already configured for the Tauri desktop build (lines 73-93)
• Adds --timestamp and --options runtime flags for proper signature

Notes

• The release.yml change depends on the existing MAC_CERT_BASE64 and MAC_CERT_PASSWORD CI secrets already configured for the desktop app build
• The install.sh fix works independently and will improve the experience even before the CI change takes effect

Immediate workaround (for users hitting this now)

xattr -cr ~/.openfang/bin/openfang
codesign --force --sign - ~/.openfang/bin/openfang
openfang --version

Test plan

• Verify install.sh strips xattrs and re-signs successfully on macOS ARM64
• Verify install.sh shows error message if codesign fails (instead of silent failure)
• Verify release.yml CI signs CLI binary with Developer ID on macOS runners
• Verify downloaded CLI binary runs without SIGKILL on a fresh macOS Apple Silicon machine

[citadelgrad]

Local verification on macOS ARM64

Tested end-to-end on Apple Silicon (macOS 26.3, arm64) by building from source and simulating the download flow:

=== Reproduce the bug ===

# Build release binary, strip its signature, add quarantine xattr, tar/untar
$ codesign --remove-signature openfang
$ xattr -w com.apple.quarantine "0083;5f6a1234;curl;..." openfang
$ tar czf openfang.tar.gz openfang && tar xzf openfang.tar.gz -C install_dir/

# Run without fix → SIGKILL
$ install_dir/openfang --version
EXIT CODE: 137  # (128 + 9 = SIGKILL)

=== Apply the install.sh fix ===

$ xattr -cr install_dir/openfang
$ codesign --force --sign - install_dir/openfang

# Run after fix → works
$ install_dir/openfang --version
openfang 0.3.30
EXIT CODE: 0

The xattr -cr + codesign sequence in the updated install.sh resolves the SIGKILL on an unsigned/quarantined binary.