fix: use ditto for notarization archive and add runtime flag to Sparkle

[jonathancaudill]

zip -r dereferences symlinks (e.g. Sparkle.framework/Sparkle becomes a regular file copy) which breaks the bundle code seal — Apple's verifier checks that sealed symlinks are still symlinks, so it flags MacOS/Nook (where the bundle signature lives) and Sparkle.framework/Sparkle as having invalid signatures.

ditto -c -k --keepParent preserves symlinks, extended attributes, and all macOS filesystem metadata required for valid notarization archives.

Also add --options runtime to the Sparkle.framework/Versions/B signing step so the framework dylib passes Apple's hardened runtime check.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced macOS application signing process to comply with Apple's hardened runtime security requirements, ensuring successful notarization and reliable installation on all macOS versions.
  • Improved application packaging method to properly preserve critical system file attributes during notarization, preventing signature validation issues that could prevent app installation and verification.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 45795bc and 54113d6.

📒 Files selected for processing (1)

• .github/workflows/macos-notarize.yml

---

📝 Walkthrough

Walkthrough

This pull request updates the macOS notarization workflow to enhance code signing security and archive integrity. The changes add the hardened runtime option to codesign operations for both the Sparkle framework and main application, while replacing zip with ditto for archiving to preserve macOS symlinks and extended attributes.

Changes

Cohort / File(s)	Summary
Notarization Workflow .github/workflows/macos-notarize.yml	Updated codesign invocations to include --options runtime flag for hardened runtime support on Sparkle framework and main app. Replaced zip -r with ditto -c -k --keepParent for archiving to preserve macOS symlinks and extended attributes without corrupting signatures.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops through workflows bright,
With runtime hardened, signatures tight,
Symlinks preserved in ditto's care,
Notarization's now beyond compare! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dev

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}