macOS: Do really deep deep code signing for notarization

Notarization is more picky than the regular code signing.
All code outside of the "usual" binary directories must be signed
separately, in addition to being codesigned with the application
afterwards.
That includes Imports/qtquick2 and Resources/libexec.
We cannot just move these into e.g. MacOS/ or PlugIns/ either, because
these directories may _only_ contain code, no other resources.

Change-Id: Id05b2644e01b61e9c33d86617c6374225b50e7f3
Reviewed-by: Eike Ziller <eike.ziller@qt.io>

scripts/common.py

@@ -181,10 +181,25 @@ def is_not_debug(path, filenames):
 def codesign(app_path):
     signing_identity = os.environ.get('SIGNING_IDENTITY')
     if is_mac_platform() and signing_identity:
-        codesign_call = ['codesign', '-o', 'runtime', '--force', '--deep', '-s', signing_identity,
+        codesign_call = ['codesign', '-o', 'runtime', '--force', '-s', signing_identity,
                          '-v']
         signing_flags = os.environ.get('SIGNING_FLAGS')
         if signing_flags:
             codesign_call.extend(signing_flags.split())
-        codesign_call.append(app_path)
+
-        subprocess.check_call(codesign_call)
+        def conditional_sign_recursive(path, filter):
+            for r, _, fs in os.walk(path):
+                for f in fs:
+                    ff = os.path.join(r, f)
+                    if filter(ff):
+                        print('codesign "' + ff + '"')
+                        subprocess.check_call(codesign_call + [ff])
+
+        # sign all executables in Resources
+        conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Resources'),
+                                   lambda ff: os.access(ff, os.X_OK))
+        # sign all libraries in Imports
+        conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Imports'),
+                                   lambda ff: ff.endswith('.dylib'))
+        # sign the whole bundle
+        subprocess.check_call(codesign_call + ['--deep', app_path])