macos: codesign Python interpreter to fix bootstrap namespace restriction

Without an ad-hoc signature on the Python binary (the browser process),
process_requirement.cc fails with errSecCSUnsigned (-67030). Chrome
responds by launching subprocesses with a restricted bootstrap namespace
that cannot see Mach services registered by the parent. This causes
bootstrap_look_up for MachPortRendezvousServer to return 1102 regardless
of whether the service name is correct.

Signing the Python binary (in addition to subprocess and .so files)
prevents the namespace restriction and allows subprocesses to find the
registered service.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: linesight

.github/workflows/ci-macos.yml

@@ -124,6 +124,11 @@ jobs:
           # bootstrap_look_up, causing all subprocesses to crash on startup.
           codesign --force --sign - cefpython3/subprocess
           for f in cefpython3/cefpython_py*.so; do codesign --force --sign - "$f"; done
+          # Also sign the Python interpreter (the browser process). Without this,
+          # process_requirement.cc fails with -67030 (errSecCSUnsigned) and Chrome
+          # launches subprocesses with a restricted bootstrap namespace, preventing
+          # bootstrap_look_up from finding the MachPortRendezvousServer service.
+          codesign --force --sign - "$(python -c 'import sys; print(sys.executable)')"
 
       - name: Run unit tests
         run: |