fix(ci): switch to signed IPA build via APPLE_SIGNING group

Replace unsigned CODE_SIGNING_ALLOWED=NO build with proper ad-hoc
signed archive using keychain, certificate, and provisioning profile.
Update xtool.yml schema to match current xtool v1 format.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

codemagic.yaml

@@ -15,6 +15,7 @@ workflows:
       xcode: latest
       groups:
         - SLABS
+        - APPLE_SIGNING
       vars:
         BUNDLE_ID: uk.silverlabs.silverapple
         GITEA_REPO: SilverLABS/SilverApple
@@ -26,7 +27,26 @@ workflows:
           brew install xcodegen
           xcodegen generate --spec project.yml
 
-      - name: Build (unsigned)
+      - name: Initialize keychain
+        script: keychain initialize
+
+      - name: Install signing certificate
+        script: |
+          echo $CM_CERTIFICATE | base64 --decode > /tmp/cert.p12
+          keychain add-certificates \
+            --certificate /tmp/cert.p12 \
+            --certificate-password $CM_CERTIFICATE_PASSWORD
+
+      - name: Install provisioning profile
+        script: |
+          echo $CM_PROVISIONING_PROFILE | base64 --decode > /tmp/profile.mobileprovision
+          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+          cp /tmp/profile.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/
+
+      - name: Configure Xcode signing
+        script: xcode-project use-profiles
+
+      - name: Build (signed)
         script: |
           xcodebuild archive \
             -project SilverApple.xcodeproj \
@@ -34,26 +54,28 @@ workflows:
             -destination "generic/platform=iOS" \
             -configuration Release \
             -archivePath "$CM_BUILD_DIR/SilverApple.xcarchive" \
-            CODE_SIGNING_ALLOWED=NO \
-            CODE_SIGNING_REQUIRED=NO \
-            CODE_SIGN_IDENTITY="" \
-            PROVISIONING_PROFILE=""
+            DEVELOPMENT_TEAM="$APPLE_TEAM_ID" \
+            CODE_SIGN_STYLE=Manual
 
-      - name: Package IPA
+      - name: Export signed IPA
         script: |
-          cd "$CM_BUILD_DIR"
-          APP=$(find SilverApple.xcarchive/Products -name "*.app" -type d | head -1)
-          if [ -z "$APP" ]; then
-            echo "ERROR: No .app found in xcarchive. Contents:"
-            find SilverApple.xcarchive -type d | head -30
-            exit 1
-          fi
-          echo "Packaging: $APP"
-          mkdir -p Payload
-          cp -r "$APP" Payload/
-          zip -r SilverApple.ipa Payload/
-          rm -rf Payload
-          echo "IPA size: $(du -sh SilverApple.ipa | cut -f1)"
+          cat > /tmp/ExportOptions.plist << 'EOF'
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+          <plist version="1.0">
+          <dict>
+            <key>method</key>
+            <string>ad-hoc</string>
+            <key>signingStyle</key>
+            <string>manual</string>
+          </dict>
+          </plist>
+          EOF
+          xcodebuild -exportArchive \
+            -archivePath "$CM_BUILD_DIR/SilverApple.xcarchive" \
+            -exportPath "$CM_BUILD_DIR/export" \
+            -exportOptionsPlist /tmp/ExportOptions.plist
+          cp "$CM_BUILD_DIR/export/SilverApple.ipa" "$CM_BUILD_DIR/SilverApple.ipa"
 
       - name: Publish to Gitea
         script: |