codesign MacOS binaries

[jonmmease]

We should work out how to digitally sign the MacOS kaleido binary so that it doesn't get blocked by the default settings of Gatekeeper.

Looks like we could do this from the command using the codesign command after the build has been completed: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

[jonmmease]

After a bit of research and experimentation, it looks like Gatekeeper will only check for code signatures for files/apps that have the com.apple.quarantine xattr set. This gets set by web browsers and email clients when files are downloaded, but it isn't set by the pip and conda package managers so users getting kaleido in the Python wheel shouldn't run into issues with Gatekeeper flagging it. Not sure about other language specific package managers

References:

• https://en.wikipedia.org/wiki/Gatekeeper_(macOS)#Quarantine
• https://apple.stackexchange.com/questions/104712/what-causes-os-x-to-mark-a-folder-as-quarantined
• https://discourse.brew.sh/t/code-signing-installed-executables/2131

Will keep this issue open as code signing would still be a good idea eventually, but it doesn't need to block the initial release.

[jonmmease]

When distributed as a conda package, orca didn't get blocked by Gatekeeper in order to run, but it did get blocked when attempting to bind to a local port. See https://github.com/plotly/orca/issues/269.

Kaleido won't run into this issue because it doesn't use ports for communication.