Why

CortexIDE no longer maintains a paid Apple Developer Program membership. The last macOS release run failed at the notarization step with:

HTTP 403: A required agreement is missing or has expired.
Failed to store notarization credentials

xcrun notarytool requires an active membership; there is no free path to Apple-notarized builds. Rather than blocking macOS releases entirely while the membership question is sorted out, this PR ships ad-hoc-signed .dmg/.zip builds — the same approach used by VSCodium, MacVim, and most open-source Mac apps.

What changes

prepare_assets.sh — the if [[ -n "${CERTIFICATE_OSX_P12_DATA}" ]] block now has an else branch that:

1. Locates the built .app in VSCode-darwin-${VSCODE_ARCH}/.
2. Recursively ad-hoc-signs every nested *.dylib, *.framework, *.node, and nested *.app (helpers) via codesign --force --sign - --timestamp=none.
3. Ad-hoc-signs the outer .app with --deep.
4. Verifies the signature with codesign --verify --deep --strict --verbose=2.
5. Skips xcrun notarytool submit and xcrun stapler staple entirely.

The existing DMG block already falls back to npx create-dmg --no-code-sign when CODESIGN_IDENTITY is empty, so the .dmg and .zip artifacts are produced unchanged in name and location. Output filenames stay CortexIDE.x64.${version}.dmg / CortexIDE.arm64.${version}.dmg, so cortexide-website's download URLs keep working.

Why ad-hoc instead of unsigned

A fully-unsigned bundle won't load on Apple Silicon — dyld rejects unsigned hardened binaries at runtime. Ad-hoc signing (codesign --sign -) is free, requires no Apple account, and makes the bundle structurally valid (nested Helpers verify, all Mach-Os have a code-directory). Gatekeeper still shows the "cannot verify the developer" prompt on first launch; the companion website PR documents how users bypass it.

Backwards compatibility

If a contributor later restores CERTIFICATE_OSX_P12_DATA + the rest of the Apple secrets, the existing identity-signing + notarization + stapling path activates automatically with no further code changes. The gate is the same env var the script already checked.

Out of scope

• Linux / Windows release pipelines (untouched)
• The unrelated webhook agent Linux/Windows release failures
• Any change to upstream vscode/build/darwin/sign.ts

Test plan

• workflow_dispatch on this branch with generate_assets=true and no Apple secrets exposed; confirm the "ad-hoc signing" log line appears, codesign --verify passes, and .dmg + .zip artifacts upload.
• Manually download the .dmg, mount, drag to /Applications, attempt to launch — Gatekeeper should show "unverified developer" (expected), and the right-click → Open workaround should succeed.
• Re-run with CERTIFICATE_OSX_P12_DATA populated (if/when membership is restored) to confirm the original identity-signing path is unaffected.

Required follow-up

Pair with the install-instructions PR on cortexide-website so users have a clear path through the Gatekeeper prompt.