mac: Enable autoupdate by sign and notarize via github action

Signed and notarized binaries are the precondition for autoupdates on
mac. Additionally Gatekeeper on 10.15+ is happy and allows to open the
app instead of blocking it.

The notarize step is added unconditionally, as it only emits a warning if
the notarization API key is not set, but it does not break the build.

This is an upstreaming of https://github.com/csett86/jitsi-meet-electron
where it worked since March 2020.

On CI, only sign if not triggered by pull request, as these will fail (as secrets
are not available to pull request builds).

The required github secrets (signing key, cert and notarize API login, password and team id) are:

Signing

Open the Keychain Access app. Export all certificates (Developer ID Certificate) related to your app into a single file (e.g. certs.p12) and set a strong password.

Base64-encode your certificates using the following command: base64 -i certs.p12 -o encoded.txt

In the GitHub repository, go to Settings → Secrets and add the following two variables:

    mac_certs: Your base64 encoded certificates, i.e. the content of the encoded.txt file you created before
    mac_certs_password: The password you set when exporting the certificates

Notarization

Create an app-specific password for your apple id: https://support.apple.com/de-de/HT204397

In the GitHub repository, go to Settings → Secrets and add the following three variables:

    apple_id: your apple id
    apple_id_password: the just created app-specific password for your apple id
    team_id: your team short name: https://github.com/electron/electron-notarize#notes-on-your-team-short-name



Co-authored-by: Saúl Ibarra Corretgé <s@saghul.net>