apple-codesign: zip notarization support

[deansheather]

From indygreg/PyOxidizer#635

Adds the ability to notarize .zip files containing other notarizable assets (such as a Mach-O binary).

Stapling (via the staple subcommand or notary-submit --staple option) is not supported for .zip files and will return an error.

Zip files are supported by the popular gon tool which we were previously using. We would like to switch to rcodesign to sign our darwin release binaries but we can't as we don't release our CLI as a bundle, xar or dmg file.

$ rcodesign sign --p12-file ./AppleDevCert_Production.p12 --p12-password-file ./cert-pw.txt --code-signature-flags runtime ./build/coder_darwin_arm64
...

$ zip x.zip build/coder_darwn_arm64
  adding: build/coder_darwin_arm64 (deflated 23%)

$ rcodesign notary-submit --api-key-path ./key.json --wait x.zip 
creating Notary API submission for x.zip (sha256: 309d5c53a47a45a07c1869171df7b1b136d1077f5f0e268373d2fefd18074b0d)
created submission ID: 51310405-3244-46cc-a2f3-efd83401bcbf
resolving AWS S3 configuration from Apple-provided credentials
uploading asset to s3://notary-submissions-prod/prod/AROARQRX7CZS3PRF6ZA5L:51310405-3244-46cc-a2f3-efd83401bcbf
(you may see additional log output from S3 client)
send_operation;
send_operation; operation="PutObject"
send_operation; service="s3"
send_operation; status="ok"
S3 upload completed successfully
waiting up to 600s for package upload 51310405-3244-46cc-a2f3-efd83401bcbf to finish processing
poll state after 0s: InProgress
poll state after 4s: InProgress
poll state after 7s: InProgress
poll state after 11s: InProgress
poll state after 15s: InProgress
poll state after 19s: InProgress
poll state after 22s: Accepted
Notary API Server has finished processing the uploaded asset
fetching notarization log for 51310405-3244-46cc-a2f3-efd83401bcbf
notary log> {
notary log>   "archiveFilename": "x.zip",
notary log>   "issues": null,
notary log>   "jobId": "51310405-3244-46cc-a2f3-efd83401bcbf",
notary log>   "logFormatVersion": 1,
notary log>   "sha256": "309d5c53a47a45a07c1869171df7b1b136d1077f5f0e268373d2fefd18074b0d",
notary log>   "status": "Accepted",
notary log>   "statusCode": 0,
notary log>   "statusSummary": "Ready for distribution",
notary log>   "ticketContents": [
notary log>     {
notary log>       "arch": "arm64",
notary log>       "cdhash": "181a64cf314e5f0fefd468aee3a0047992244d60",
notary log>       "digestAlgorithm": "SHA-256",
notary log>       "path": "x.zip/build/coder_darwin_arm64"
notary log>     }
notary log>   ],
notary log>   "uploadDate": "2022-09-06T07:48:23.895Z"
notary log> }

[indygreg]

This looks fantastic!

While I haven't tested this, I know it should be possible to notarize zips. So the code changes seem reasonable to me. Will merge this shortly.