Metal backend: add export-time code signing for Hardened Runtime

[mergennachin]

The Metal AOTI backend extracts a compiled .so from the .pte at runtime
and dlopen's it. macOS Hardened Runtime rejects unsigned dlopen'd code,
making Metal-backend .pte files unusable in notarized apps.

Add a codesign_so hook to AotiBackend (no-op by default) that runs
after AOTInductor compilation and before the .so is packed into the .pte.
MetalBackend overrides it to run codesign when a codesign_identity
compile spec is provided. Wire --codesign-identity through the Voxtral
Realtime and Parakeet export scripts.

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18768

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

⏳ 6 Pending, 2 Unrelated Failures

As of commit 3517c6d with merge base e109ac8 ():

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

• pull / unittest / windows / windows-job (gh) (trunk failure)
  ##[error]The operation was canceled.
• pull / unittest-editable / windows / windows-job (gh) (trunk failure)
  ##[error]The operation was canceled.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[github-actions]

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.