ci: sign release DMG for the curl-based installer

[quiet-node]

Overview

Adds a signing step to the release workflow so each release publishes a detached signature for Thuki.dmg. This is the release-side half of the upcoming one-line installer (curl -fsSL https://thuki.app/install.sh | sh), which downloads the DMG over HTTPS and verifies it before installing, so users get a clean launch with no Gatekeeper "Apple could not verify" prompt and no manual xattr step.

How it works

After the DMG is built, the workflow signs it with openssl dgst -sha256 -sign using an RSA-4096 private key supplied via the new THUKI_INSTALLER_RSA_PRIVATE_KEY Actions secret, and uploads Thuki.dmg.sig alongside Thuki.dmg. The private key is written to a temp file and removed on step exit; it never lands on the release.

The installer verifies that signature with stock macOS openssl against a public key pinned in the install script. RSA is used (rather than the existing ed25519 updater key) specifically because stock LibreSSL on macOS cannot verify ed25519/minisign signatures, so this path needs no extra tooling on the user's machine. Because the key lives only in CI, a DMG swapped onto a compromised release fails verification and is never installed.

Thuki.dmg keeps its stable releases/latest/download/ URL, so the installer tracks new versions with no per-release changes.

Testing

• End-to-end signed the current published Thuki.dmg with the private key and verified it with the public key using stock LibreSSL 3.3.6: Verified OK.
• Byte-level tamper of the DMG is correctly rejected (Verification Failure).
• Workflow YAML validated.

Note

The signature only appears starting with the next release that runs this workflow; the matching public key and install.sh are managed in the landing-page repo.