Add secure timestamp to Fulcio codesign to fix TCC permission persistence

Without --timestamp, the short-lived Fulcio leaf cert (10 min) expires
and macOS can't validate the certificate chain. This causes the
designated requirement's certificate leaf OID check to fail on every
launch, forcing TCC to re-prompt for microphone permission each time.

The --timestamp flag embeds an Apple-signed RFC 3161 timestamp proving
the signature was created while the cert was valid, allowing chain
validation to succeed indefinitely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: danielbodart

scripts/fulcio-codesign.sh

@@ -328,7 +328,7 @@ cat > "$TMPDIR_WORK/entitlements.plist" <<ENTITLEMENTS
 </plist>
 ENTITLEMENTS
 
-codesign --force --options runtime \
+codesign --force --options runtime --timestamp \
     --identifier "$IDENTIFIER" \
     --entitlements "$TMPDIR_WORK/entitlements.plist" \
     -r="$DR" \
@@ -346,10 +346,10 @@ security list-keychains -d user -s $ORIGINAL_KEYCHAINS
 
 echo ""
 echo "=== Verification ==="
-# codesign -dvvv may return a non-zero exit for Fulcio-signed binaries
-# because the Sigstore CA is not in Apple's trust store. This is expected
-# and does not affect functionality — TCC reads the signing identity from
-# the CMS blob regardless of chain trust.
+# The --timestamp flag embeds an Apple-signed secure timestamp, proving
+# the signature was created while the Fulcio cert was valid. This allows
+# macOS to validate the cert chain (and thus the designated requirement's
+# certificate leaf OID check) even after the short-lived Fulcio cert expires.
 codesign -dvvv "$BINARY" 2>&1 | head -20 || true
 echo ""
 echo "Entitlements:"