Codesign and notarize macOS release binaries

[panga]

What problem are you trying to solve?

nono's macOS release binaries are distributed unsigned. This causes several problems for macOS users:

• Keychain password prompts. Unsigned binaries get a new/unstable code signing identity on each build, so macOS treats every release as a different application. Any nono component that touches Keychain items (the keystore / credential injection in nono-proxy) triggers repeated "allow access to keychain" prompts, and ACL grants don't persist across versions.
• Gatekeeper friction. Unsigned, un-notarized binaries are blocked by Gatekeeper ("cannot be opened because the developer cannot be verified"), forcing users to right-click-open or strip the quarantine attribute manually.
• Enterprise allowlisting. Many enterprise environments allowlist tools by code signature / Team ID (via MDM, EDR, or app allowlisting). Unsigned binaries can't be allowlisted by signature, which blocks adoption of nono in exactly the kind of locked-down environment a sandboxing tool targets.

What would you like to see?

macOS release artifacts should be codesigned with a Developer ID certificate and notarized (with the notarization ticket stapled) before publishing.

Suggested approach: add a GitHub Actions release pipeline using GoReleaser to handle cross-target builds plus signing and notarization in one place.

What have you tried instead?

Users currently work around Gatekeeper with right-click-open and re-approve Keychain prompts on every release, neither is viable for enterprise allowlisting.

How is this blocking you?

It's blocking production use of nono

Additional context

• GoReleaser notarize docs: https://goreleaser.com/customization/sign/notarize/
• Pure-Rust signing/notarization alternative that runs on Linux: rcodesign (apple-codesign crate).