cmake(macOS): Sign dependencies first

If the plugin is signed before signing dependencies, errors below are
reported by `codesign -vvv --deep --strict`.
```
  release/obs-face-tracker.plugin/Contents/MacOS/obs-face-tracker: a sealed resource is missing or invalid
  file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libgfortran.5.dylib
  file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libquadmath.0.dylib
  file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libgcc_s.1.1.dylib
  file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libgomp.1.dylib
  file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libopenblas.0.dylib
```
Strangely, this error is not reported for the legacy plugin structure.

.github/workflows/main.yml

@@ -246,22 +246,22 @@ jobs:
           case ${{ matrix.obs }} in
             27)
               files=(
-                release/${PLUGIN_NAME}/bin/${PLUGIN_NAME}.so
                 $(find release/${PLUGIN_NAME}/ -name '*.dylib')
+                release/${PLUGIN_NAME}/bin/${PLUGIN_NAME}.so
               )
               ;;
             28)
               files=(
-                release/${PLUGIN_NAME}.plugin/Contents/MacOS/${PLUGIN_NAME}
                 $(find release/${PLUGIN_NAME}.plugin/ -name '*.dylib')
+                release/${PLUGIN_NAME}.plugin/Contents/MacOS/${PLUGIN_NAME}
               )
               ;;
           esac
           for dylib in "${files[@]}"; do
-            codesign --remove-signature "$dylib" || true
+            codesign --force --sign "${{ secrets.MACOS_SIGNING_APPLICATION_IDENTITY }}" "$dylib"
           done
           for dylib in "${files[@]}"; do
-            codesign --sign "${{ secrets.MACOS_SIGNING_APPLICATION_IDENTITY }}" "$dylib"
+            codesign -vvv --deep --strict "$dylib"
           done
 
       - name: Package