Use identifier-only designated requirement for macOS code signing

macOS SecTrustEvaluate treats short-lived Fulcio certs as expired even
with a secure timestamp, so the certificate leaf OID check in the DR
fails on every launch — causing TCC to re-prompt for mic permission.

Switch to identifier-only DR to test whether TCC stores an identifier-
based csreq that persists across builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: danielbodart

scripts/fulcio-codesign.sh

@@ -306,13 +306,13 @@ echo "Signing identity: $IDENTITY_HASH"
 # Build the designated requirement
 # Pins on identifier + the Fulcio Source Repository URI OID.
 # In CI this is the actual repo URL; locally it's the Dex OAuth redirect.
-if [ -n "$CERT_REPO_URI" ]; then
-    DR="designated => identifier \"$IDENTIFIER\" and certificate leaf[field.$REPO_OID] = \"$CERT_REPO_URI\""
-    echo "DR: identifier + repo OID = $CERT_REPO_URI"
-else
-    DR="designated => identifier \"$IDENTIFIER\""
-    echo "DR: identifier only (no repo OID in cert)"
-fi
+# Use identifier-only DR. The Fulcio cert provides supply-chain verification
+# (via cosign/sigstore), but can't be used in the DR because macOS evaluates
+# certificate leaf fields via SecTrustEvaluate which treats the short-lived
+# Fulcio cert as expired — even with a secure timestamp. An identifier-only
+# DR lets TCC persist grants across builds without cert chain validation.
+DR="designated => identifier \"$IDENTIFIER\""
+echo "DR: identifier only"
 
 # Entitlements: hardened runtime requires explicit entitlements for mic access.
 # Without com.apple.security.device.audio-input, TCC silently denies the mic