Revert to GoReleaser built-in notarize when goreleaser/quill syncs TeamIdentifier fix

[jeremy]

Context

PR #392 works around a bug in goreleaser/quill where the TeamIdentifier field is never populated in the CodeDirectory during macOS code signing (anchore/quill#147).

The fix landed in anchore/quill v0.7.0 (March 9, 2026, PR #669) but goreleaser/quill has not synced it as of GoReleaser v2.14.3.

When to act

When a GoReleaser release ships with an updated goreleaser/quill that includes the TeamIdentifier fix. Check periodically or watch goreleaser/quill for upstream syncs.

What to revert

1. Delete scripts/sign-darwin.sh
2. Re-enable built-in notarize in .goreleaser.yaml (restore the notarize.macos block with env-gated enabled)
3. Remove from .github/workflows/release.yml:
   • "Install quill for macOS signing" step
   • "Prepare signing credentials" step
   • "Notarize macOS binaries" step
   • "Clean up signing credentials" step
   • QUILL_SIGN_P12 env var from the GoReleaser step
4. Remove --skip=notarize from GoReleaser invocation
5. Keep the macos-verify job (it validates the invariant regardless of signing method)
6. Update RELEASING.md to remove the tradeoffs section