fix: sign Sparkle framework separately for sandboxed builds

Sign the Sparkle framework before signing the whole app to ensure
proper code signature chain for sandboxed installation.

scripts/build_release.sh

@@ -159,6 +159,14 @@ if [[ ! -d "$APP_PATH" ]]; then
 fi
 
 if [[ -n "${CODESIGN_IDENTITY:-}" ]]; then
+  echo "🔏 Codesigning Sparkle framework..."
+  codesign \
+    --force \
+    --options runtime \
+    --timestamp \
+    --sign "$CODESIGN_IDENTITY" \
+    "$APP_PATH/Contents/Frameworks/Sparkle.framework"
+
   echo "🔏 Codesigning app with identity: $CODESIGN_IDENTITY"
   codesign \
     --deep \