Notarize macOS builds
Add the necessary steps to create a notarized build for krita
Notarize builds require a valid apple developer account. Most conditions are tested on test cases. the general logic follows the steps recommended for automated scripts. rawTheapee code helped to validate most assumptions. (rawTherapee code from: https://github.com/Beep6581/RawTherapee/blob/6fa533c40b34dec527f1176d47cc6c683422a73f/tools/osx/macosx_bundle.sh#L225-L250) Documentation from Apple reads that a single petition should give a staple key for the container and the bundled application. However we opted to use the rawTherapee of notarizing dmg and application separatedly.
Hardening is a runtime requirement from Apple, it is said its only necessary to modify steps in the deployment step and not in the compiling phase. Which if it really is the case the patch should suffice (assuming is correct). if not, prrbably all deps and krita need hardening extra flags.
osxdeplox new commands
-notarize_ac Name of the account used for apple developer program
-notarize_pass Password for the given account. This can be skipped if a keychain password is set like this security add-generic-password -a "AC_USERNAME" -w <secret_password> -s "KRITA_AC_PASS" where AC_USERNAME is the apple developer account name. Krita then sends the notarized build petition using "@keychain:KRITA_AC_PASS" in xcrun and retrieves the password for sending. This method is mentioned in Apple documentation in: https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc#3087734