Implement macOS app notarization

[cwillisf]

Resolves

Resolves #178

Proposed Changes

1. Enable the "hardened runtime" -- this is prerequisite for notarization
   • This simply means passing --options runtime to the existing codesign calls, and --Xcodesign --options --Xcodesign runtime to existing swift-stdlib-tool calls.
2. Add steps in the Makefile to notarize the application. The steps involved are, roughly:
   1. Build the installer PKG as we did before (but store it in a temp directory for now)
   2. Upload that PKG to Apple's notarization service using altool, AKA Application Loader
   3. Wait until Apple's servers finish notarization. This typically takes 1-3 minutes but sometimes takes more than 10 minutes.
   4. Use stapler to "staple" the notarization results to a new copy of the PKG. This allows the application to be verified when the user might not have an active Internet connection.

The file macOS/Packaging/notarize.sh takes care of running altool, waiting for results, and stapling. It's not quite a general utility script right now, but it's close enough for the purposes of the scratch-link build process.

My approach is largely based on this article: https://nativeconnect.app/blog/mac-app-notarization-from-the-command-line/

Reason for Changes

In macOS Catalina and above, software that doesn't come from the Mac App Store must be notarized. Otherwise, macOS prevents the user from running the software.

[cwillisf]

Reviewed interactively with @fsih