Add code signing config for Windows (Azure Artifact Signing) and macOS (Apple notarization)

CI workflows now support code signing when secrets are configured:
- macOS: Apple Developer certificate + App Store Connect API key for notarization
- Windows: Azure Artifact Signing via signtool + dlib
- Both are no-ops when secrets aren't set (backwards-compatible)
- Add Entitlements.plist (mic, network) and Info.plist (NSMicrophoneUsageDescription)
- Add SIGNING.md with full setup guide for both platforms

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/build-app-macos.yml

@@ -39,7 +39,27 @@ jobs:
       - name: Install npm dependencies
         run: npm ci
 
+      - name: Setup code signing
+        env:
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_KEY_CONTENT: ${{ secrets.APPLE_API_KEY_CONTENT }}
+        run: |
+          if [ -n "${APPLE_API_KEY_CONTENT}" ]; then
+            echo "Setting up notarization API key..."
+            mkdir -p ~/private_keys
+            echo "${APPLE_API_KEY_CONTENT}" > ~/private_keys/AuthKey_${APPLE_API_KEY}.p8
+          else
+            echo "No signing secrets configured, skipping code signing setup"
+          fi
+
       - name: Build Tauri app
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY_PATH: ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
         run: npm run tauri build
 
       - name: Upload to release
@@ -91,3 +111,6 @@ jobs:
               "${REPO_API}/releases/${RELEASE_ID}/assets?name=${encoded_name}")
             echo "Upload response: HTTP ${HTTP_CODE}"
           done
+
+      - name: Cleanup signing artifacts
+        run: rm -rf ~/private_keys