fix: handle already-signed ONNX Runtime libraries in macOS signing

The ONNX Runtime dylib files from Microsoft may already be signed,
which causes code signing to fail. This commit adds logic to:

1. Check if libraries are already signed
2. Use --force flag to replace existing signatures
3. Add verbose output for debugging
4. Verify signatures with --deep --strict flags

This ensures our certificate is applied even if Microsoft's signature
is present, which is necessary for notarization.

Author: tphakala

.github/workflows/release.yml

@@ -323,15 +323,33 @@ jobs:
           echo "=== Signing ONNX Runtime library ==="
           for dylib in unsigned/*.dylib; do
             if [ -f "$dylib" ]; then
-              echo "Signing: $dylib"
-              codesign --sign "$CERT_IDENTITY" \
-                --timestamp \
-                --options runtime \
-                --verbose \
-                "$dylib"
-              codesign --verify --verbose "$dylib"
+              echo "Processing: $dylib"
+
+              # Check if already signed
+              if codesign --verify "$dylib" 2>/dev/null; then
+                echo "Already signed by: $(codesign --display --verbose "$dylib" 2>&1 | grep 'Authority=')"
+                echo "Re-signing with our certificate..."
+                # Use --force to replace existing signature
+                codesign --force --sign "$CERT_IDENTITY" \
+                  --timestamp \
+                  --options runtime \
+                  --verbose \
+                  "$dylib"
+              else
+                echo "Not signed, signing now..."
+                codesign --sign "$CERT_IDENTITY" \
+                  --timestamp \
+                  --options runtime \
+                  --verbose \
+                  "$dylib"
+              fi
+
+              echo "Verifying signature..."
+              codesign --verify --deep --strict --verbose=2 "$dylib"
+              echo "✓ Successfully signed: $dylib"
             fi
           done
+          echo "=== All libraries signed ==="
 
       - name: Create ZIP for notarization
         run: |