I'm getting at the fact a shell script with this exploit can be made to look like an "app" and be "double-clickable", and doesn't require any code signing.
Gatekeeper also watches over shell scripts, so when you double click the shell script it will tell you that you can't open it because it is from an unidentified developer.
You're thinking of quarantine. You'll get a warning saying the script was downloaded from the Internet, asking if you're sure you want to open it. Again, nothing to do with code signing.
I think you are misunderstanding something. Shell scripts and unsigned code are treated exactly the same by Gatekeeper.
When you double click a shell script downloaded from the internet, the warning will not ask you if you want to open the file. The warning will tell you that you can't open it because it is from an unidentified developer.
Let me try to clarify this:
"Quarantine" is a flag set on files downloaded from the internet.
When you open a file with the quarantine flag, Gatekeeper checks the code signature. If it is valid, it asks you if you want to open this file that you downloaded from the web. If the code signature is not valid, or if the file has no code signature, you wont be able to open it.
There are several ways to execute shell scripts downloaded from the internet:
1) Check "Allow all Applications" in System Preferences
2) Right click, select open. Then the warning will have a second option to open it despite being unsigned
3) Execute it from the command line
All of these presumably require the user to know what they are doing...
I haven't gotten to try it to confirm but I'm having trouble imagining why an unsigned .app bundle containing a binary executable would get the code-signing error but one containing a script wouldn't. Is that in fact the case?
Sorry for not making this more clear. Create a shell script with the exploit, then remove the .sh extension. You can edit the icon to make it appear as any application and when double-clicked it will open and run in Terminal.app.
Ah, thanks for clarifying. I suppose it wouldn't have execute permissions if downloaded from a browser, but it could if copied with Finder from a network share (or directly accessed, of course), so that sounds like a potential vector.