Wires up MCPB envelope signing as an optional publish step.

• scripts/sign.sh + 'make sign': signs dist/*.mcpb in place and regenerates each .sha256 (the signature is appended to the bundle bytes, so checksums must be recomputed after signing). Soft-skips with a notice when no signing material is configured, so CI calls it unconditionally.
• publish.yml: new 'Sign bundles (optional)' step between artifact gathering and upload. Activates when the MCPB_SIGNING_CERT / MCPB_SIGNING_KEY repo secrets (PEM contents, optional MCPB_SIGNING_INTERMEDIATES) are set; otherwise skips and unsigned bundles ship as before.
• Workaround for broken 'mcpb verify' in the current upstream CLI (v2.1.2): it calls node-forge p7.verify, which is unimplemented and throws, so every signed bundle reports as "Extension is not signed". Both sign.sh and package.sh now treat verify as advisory and assert the appended MCPB_SIG_END signature block directly.

Tested locally: self-signed sign -> signature block present -> sha256 regenerated -> smoke test passes on the signed bundle (zip extraction tolerates the appended signature) -> unsign restores. Soft-skip path verified with no env set.

🤖 Generated with Claude Code