Fix macOS 10.15.4 codesigning crash

[phoerious]

The recent macOS security patch renders our codesigning "fix" of setting the sandbox entitlement to false twice unusable. This patch adds a full provisioning profile and adjusts the signing procedure to not include entitlements for Qt frameworks.

The patch also changes the app and bundle ID, so granted accessibility privileges have to be granted again after installing the update.

Fixes #4398
Fixes #4515

@droidmonkey Since this is an actual fix and not just a workaround or rebuild, I suggest we release it as 2.5.4 despite there not being any changes on other platforms. I believe the extent to which things were changed (including the bundle ID change, which was long overdue anyway) merits a version number upgrade.

Type of change

• ✅ Bug fix (non-breaking change which fixes an issue)

Checklist:

• ✅ I have read the CONTRIBUTING document. [REQUIRED]
• ✅ My code follows the code style of this project. [REQUIRED]
• ✅ All new and existing tests passed. [REQUIRED]
• ✅ I have compiled and verified my code with -DWITH_ASAN=ON. [REQUIRED]

[droidmonkey]

Concur with the version bump

[droidmonkey]

That is some voodoo magic! Makes sense to only apply entitlements to the executable that needs it.

[phoerious]

Yeah, and then there are entitlements and entitlements. Some can be set just like that, others need to be whitelisted by a provisioning profile.

[droidmonkey]

I'm glad this is all thoroughly documented and doesn't require special Apple engineer intervention to figure out! 😏

[phoerious]

Oh indeed, 'twas a walk in the park.