Replace fulcio-codesign.sh with fulcio-codesign binary

Switch from the 362-line bash script to the standalone Zig binary
(github:danielbodart/fulcio-codesign) installed via mise. No more
runtime dependency on openssl, curl, jq, python3, or security CLI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: danielbodart

.mise.toml

@@ -3,4 +3,4 @@ zig = "0.15.2"
 bun = "1.3.10"
 shellcheck = "0.11.0"
 cosign = "3.0.5"
-"github:indygreg/apple-platform-rs" = { version = "apple-codesign/0.29.0", exe = "rcodesign", matching = "apple-codesign" }
+"github:danielbodart/fulcio-codesign" = "latest"

dist/macos/entitlements.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+</dict>
+</plist>

run.ts

@@ -285,10 +285,10 @@ export async function sign() {
 
     const hasOidc = !!process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
 
-    // macOS: sign the Mach-O binary with Fulcio cert via rcodesign
+    // macOS: sign the Mach-O binary with Fulcio cert
     if (IS_MACOS) {
         console.log("Signing macOS binary with Fulcio...");
-        await $`./scripts/fulcio-codesign.sh ${PLATFORM_DIR}/bin/capsper`;
+        await $`fulcio-codesign --identifier io.github.danielbodart.capsper --subject io.github.danielbodart.capsper --entitlements dist/macos/entitlements.plist ${PLATFORM_DIR}/bin/capsper`;
         // Re-create tarball with signed binary
         await distMacOS();
     }