building: macOS: strip the signature off the collected Python shared library

[rokm]

Recent version of python on macOS have their Python shared library signed due to Gatekeeper requirements. Due to partial collection of content from the Python.framework, the copy of Python shared library that we bundle with frozen application ends up with its signature invalidated, and refuses to load regardless of Gatekeeper settings.

Manually stripping the (now invalid) signature using codesign --remove-signature fixes the problem, but can be performed
only with onedir builds. Therefore, we now attempt to detect the signature and automatically strip it away in order to accomodate
both onefile and onedir builds.

Fixes #5062.
Fixes #5272.
Fixes #5434.

[htgoebel]

Thanks. Good catch

[htgoebel]

@rokm May I ask you to also clean up the commits when applying the requested reviews. Thiy would make miy live easier and avoid ugliy commits like 862a28e or 0334e09. Thanks.

(Yes, this might require to leave this limit, proprietary github platform.)

[rokm]

@rokm May I ask you to also clean up the commits when applying the requested reviews. Thiy would make miy live easier and avoid ugliy commits like 862a28e or 0334e09. Thanks.

Sure, will do from now on.

It seemed that the policy was to squash all commits from a PR into a single one before merging it, so I've been leaving them as is. And I've been trying to avoid re-triggering CI for minor thins, such as news fragments and minor changes. But I agree that it looks ugly in commit history if merged directly.

(Yes, this might require to leave this limit, proprietary github platform.)

Oh, that's not a problem at all - I prefer local (interactive) rebases on command-line, anyway :-)

[htgoebel]

to avoid re-triggering CI for minor things

I agree on this.

Looks like I've been to harsh, sorry. Yes, most times we squash, I just forgot this time. So it's my fault. sorry.