Harden unsigned DMG signature integrity

[aaf2tbz]

Summary

• ad-hoc sign the full macOS app bundle when Apple Developer ID credentials are unavailable
• make mounted-DMG verification fail on invalid app bundle signatures
• make the updater reject staged update apps that fail deep strict codesign verification

Evidence

• Current v0.46.8 release logs show Apple signing secrets were empty and the workflow uploaded an unsigned DMG.
• Local v0.46.8 DMG fails with: code has no resources but signature indicates they must be present.
• The new mounted-DMG verifier rejects the broken v0.46.8 DMG before install.
• The ad-hoc signing command repairs a copied v0.46.8 app bundle so codesign --verify --deep --strict passes.

Tests

• python3 tools/ci/verify-dmg-workflow.py
• node --check app/build/notarize.cjs
• bash -n app/updater/update.sh
• bash -n tools/dmg/verify-dmg-runtime-assets.sh