Switch Apple Notarization from gon/altool to notarytool.

[lidel]

We've been using gon since 2021. It was the best tool at the time used by other projects like Terraform (https://github.com/ipfs/distributions/issues/273#issuecomment-874831925), but it no longer gets any updates, and the project has been shut down by its maintainer: https://github.com/mitchellh/gon#readme

On top of that, the mechanism gon uses got deprecated by Apple, CI notarization produces deprecation warning:

{"@level":"info","@message":"notarization submission complete","@module":"notarize","@timestamp":"2024-01-30T22:14:25.909175Z","err":null,"output":"\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"\u003e\n\u003cplist version=\"1.0\"\u003e\n\u003cdict\u003e\n\t\u003ckey\u003enotarization-upload\u003c/key\u003e\n\t\u003cdict\u003e\n\t\t\u003ckey\u003eRequestUUID\u003c/key\u003e\n\t\t\u003cstring\u003e5346bf5b-0c9a-47af-8c0b-1866a0f8a9ea\u003c/string\u003e\n\t\u003c/dict\u003e\n\t\u003ckey\u003eos-version\u003c/key\u003e\n\t\u003cstring\u003e12.7.2\u003c/string\u003e\n\t\u003ckey\u003esuccess-message\u003c/key\u003e\n\t\u003cstring\u003eNo errors uploading 'tmp/ipfs-cluster-ctl_v1.0.8_amd64-signed.zip'.\u003c/string\u003e\n\t\u003ckey\u003etool-path\u003c/key\u003e\n\t\u003cstring\u003e/Applications/Xcode_14.2.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework\u003c/string\u003e\n\t\u003ckey\u003etool-version\u003c/key\u003e\n\t\u003cstring\u003e6.043.14043\u003c/string\u003e\n\t\u003ckey\u003ewarnings\u003c/key\u003e\n\t\u003carray\u003e\n\t\t\u003cdict\u003e\n\t\t\t\u003ckey\u003ecode\u003c/key\u003e\n\t\t\t\u003cinteger\u003e-1030\u003c/integer\u003e\n\t\t\t\u003ckey\u003emessage\u003c/key\u003e\n\t\t\t\u003cstring\u003ealtool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.\u003c/string\u003e\n\t\t\t\u003ckey\u003euserInfo\u003c/key\u003e\n\t\t\t\u003cdict\u003e\n\t\t\t\t\u003ckey\u003eNSLocalizedDescription\u003c/key\u003e\n\t\t\t\t\u003cstring\u003ealtool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.\u003c/string\u003e\n\t\t\t\u003c/dict\u003e\n\t\t\u003c/dict\u003e\n\t\u003c/array\u003e\n\u003c/dict\u003e\n\u003c/plist\u003e\n\n"}

[...]altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.

[lidel]

NodeJS switched from gon to notarytool, things to investigate:

• first version https://github.com/UlisesGascon/node/blob/076dbcb91647a51df3a8848ce031fbb4fde64f59/tools/osx-notarize.sh#L66-L75
• latets version https://github.com/nodejs/node/blob/main/tools/osx-notarize.sh#L39

Option B is to switch to "the most comprehensive implementation of Apple code signing outside the canonical Apple tools", a rust tool that does not require macOS runner.

• this one seems to be used by Mozilla and Tor Project, should be good enough for us:
  • Source code: https://github.com/indygreg/apple-platform-rs/tree/main/apple-codesign
  • Documentation https://gregoryszorc.com/docs/apple-codesign/
  • Rust crate: https://crates.io/crates/apple-codesign
  • Changelog: https://github.com/indygreg/apple-platform-rs/blob/main/apple-codesign/CHANGELOG.rst

I'll try the rust way first – if we can remove need for running this on macos worker, its only better.