PICARD-1653: Enable macOS "Hardened Runtime"

scripts/package/entitlements.plist

@@ -0,0 +1,6 @@
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+  </dict>
+</plist>

scripts/package/package-osx.sh

@@ -42,7 +42,10 @@ cd dist
 ditto -rsrc --arch x86_64 'MusicBrainz Picard.app' 'MusicBrainz Picard.tmp'
 rm -r 'MusicBrainz Picard.app'
 mv 'MusicBrainz Picard.tmp' 'MusicBrainz Picard.app'
-[ "$CODESIGN" = '1' ] && codesign --keychain $KEYCHAIN_PATH --verify --verbose --deep --sign "$CERTIFICATE_NAME" 'MusicBrainz Picard.app'
+[ "$CODESIGN" = '1' ] && codesign --verify --verbose --deep \
+  --options runtime --entitlements scripts/package/entitlements.plist \
+  --keychain $KEYCHAIN_PATH --sign "$CERTIFICATE_NAME" \
+  "MusicBrainz Picard.app"
 
 # Verify Picard executable works and required dependencies are bundled
 VERSIONS=$("MusicBrainz Picard.app/Contents/MacOS/picard-run" --long-version)