Merge bitcoin/bitcoin#29127: Use hardened runtime on macOS release bu…

…ilds.

4fdd836 Use hardened runtime on macOS release builds. (Mark Friedenbach)

Pull request description:

  The Apple notary service requires submitted app bundles to be configured to use the hardened runtime libraries.  This is configured at signing time, and supported by the signapple tool Bitcoin Core uses for reproduceable signed binaries.  We simply need to pass "--hardened-runtime" when the signature is created.  Once attached to the bundle, the resulting codesigned binary can be successfully submitted to the Apple binary notarization service by any Apple Developer.

  This partially resolves #15774. The release maintainer, or any authorized Apple Developer, will need to run `xcrun notarytool` to prevent gatekeeper warnings on macOS. Using `xcrun staple` to generate a binary that doesn't call home on first launch would be bonus, but at least this would massively improve the user experience.

ACKs for top commit:
  fanquake:
    ACK 4fdd836 - we can move ahead with this, and figure out notarisation / stapling as a followup.

Tree-SHA512: 7b8ba50030fb230d44bd63d12ed082537e8eaaa61396114c5df715f8dd6772fd8d84b00dc819f88d9a463996c2170a84981fce1bde7f7999b4bdb914fbcdfdac

contrib/macdeploy/detached-sig-create.sh

@@ -24,7 +24,7 @@ fi
 rm -rf ${TEMPDIR}
 mkdir -p ${TEMPDIR}
 
-${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}"  "$@" "${BUNDLE}"
+${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}"  "$@" "${BUNDLE}" --hardened-runtime
 
 tar -C "${TEMPDIR}" -czf "${OUT}" .
 rm -rf "${TEMPDIR}"