Use get-task-allow which seems to be necessary to get scripting
languages like Python to work. It's discouraged in docs, but from trials
seems like App Notarization will give a warning but still approve the
app.

Add two scripts. First one signs the MacVim app bundle and dmg files
with developer certificate. Second one submits the dmg file to Apple for
app notarization, and waits for the results to come back.

Also added Makefile target `macvim-dmg-release` that will use these
scripts to create a signed and notarized dmg file that can be
distributed and will be play nice with macOS Gatekeeper.

This entitlement allows debugger to hook in to the app and allow other
apps to call `task_for_pid()` on MacVim, and Apple has discouraged its
use. In fact, the only reason why MacVim passes app notarization is
because it has also set the disable-library-validation entitlement
which allows get-task-allow to be set. We don't actually need
get-task-allow in release binary builds as we don't intentionally want
to allow external debuggers and code injection, so we should just remove
it.

This was previously added in macvim-dev#980 where we made a mistake in assuming
that get-task-allow was what was needed to sign the app with hardened
runtime while allowing scripting interface (e.g. Python) to work, but
that was wrong. It was the disable-library-validation entitlment
instead, as we need the ability to load in unsigned libraries as
Python distributions from say Homebrew are not signed.

Credit: This was pointed out by Karol Mazurek