feat(portal): sign Apple profiles — Verified instead of 'unsigned' warning

Unsigned .mobileconfig installs trip macOS warnings ('unknown developer')
and an extra System Settings hunt. The route now wraps the profile in
PKCS#7 SignedData (node-forge, SHA-256, full chain embedded) using the
portal's own cert-manager LE certificate mounted read-only into the pod
(PROFILE_SIGN_CERT/KEY). Publicly-trusted chain → Apple shows Verified.
Dev (no env) and any signing failure fall back to unsigned — the
download must never break over the badge. Signature round-trip verified
with openssl smime.

infrastructure/production/fleet/apps/portal.yaml

@@ -41,6 +41,12 @@ spec:
               value: https://booking.dezky.eu
             - name: NUXT_PUBLIC_MAIL_URL
               value: https://mail.dezky.eu
+            # Sign Apple .mobileconfig profiles with the portal's own LE cert
+            # (mounted below) so macOS shows Verified instead of "unsigned".
+            - name: PROFILE_SIGN_CERT
+              value: /profile-sign/tls.crt
+            - name: PROFILE_SIGN_KEY
+              value: /profile-sign/tls.key
             # Cluster-internal address of platform-api for the nitro proxy.
             - name: PLATFORM_API_INTERNAL_URL
               value: http://platform-api.dezky-apps.svc.cluster.local:3001
@@ -50,6 +56,10 @@ spec:
           envFrom:
             - secretRef:
                 name: portal-secrets
+          volumeMounts:
+            - name: profile-sign
+              mountPath: /profile-sign
+              readOnly: true
           resources:
             requests:
               cpu: 100m
@@ -66,6 +76,12 @@ spec:
               port: http
             initialDelaySeconds: 30
             periodSeconds: 30
+      volumes:
+        # cert-manager-maintained app.dezky.eu cert — reused as the profile
+        # signing identity (any publicly-trusted cert works for PKCS#7).
+        - name: profile-sign
+          secret:
+            secretName: app-dezky-eu-tls
 ---
 apiVersion: v1
 kind: Service