You're thinking of quarantine. You'll get a warning saying the script was downloaded from the Internet, asking if you're sure you want to open it. Again, nothing to do with code signing.
I think you are misunderstanding something. Shell scripts and unsigned code are treated exactly the same by Gatekeeper.
When you double click a shell script downloaded from the internet, the warning will not ask you if you want to open the file. The warning will tell you that you can't open it because it is from an unidentified developer.
Let me try to clarify this:
"Quarantine" is a flag set on files downloaded from the internet.
When you open a file with the quarantine flag, Gatekeeper checks the code signature. If it is valid, it asks you if you want to open this file that you downloaded from the web. If the code signature is not valid, or if the file has no code signature, you wont be able to open it.
There are several ways to execute shell scripts downloaded from the internet:
1) Check "Allow all Applications" in System Preferences
2) Right click, select open. Then the warning will have a second option to open it despite being unsigned
3) Execute it from the command line
All of these presumably require the user to know what they are doing...
I haven't gotten to try it to confirm but I'm having trouble imagining why an unsigned .app bundle containing a binary executable would get the code-signing error but one containing a script wouldn't. Is that in fact the case?
Sorry for not making this more clear. Create a shell script with the exploit, then remove the .sh extension. You can edit the icon to make it appear as any application and when double-clicked it will open and run in Terminal.app.
Ah, thanks for clarifying. I suppose it wouldn't have execute permissions if downloaded from a browser, but it could if copied with Finder from a network share (or directly accessed, of course), so that sounds like a potential vector.
This is bullshit. If you actually put that disk image on a web server, and then download it, you'll get the unidentified developer warning and you can't run the script (there will be no button to open it).
Gatekeeper and code signing work hand-in-hand. You can run any unsigned code you want, as long as you didn't download it from the web. For example, gatekeeper won't prevent you from running usigned code you compiled yourself, or from running code you installed using a package manager.
OS X is smart enough to know that a shell script is equivalent to an application. You can't fool Gatekeeper quite that easily.
Oh, yeah, I should've thought about dmgs. Yikes... that seems "not OK"; but if they made shell scripts require signing I imagine that'd probably break lots of stuff.
When you double click a shell script downloaded from the internet, the warning will not ask you if you want to open the file. The warning will tell you that you can't open it because it is from an unidentified developer.
Let me try to clarify this: "Quarantine" is a flag set on files downloaded from the internet. When you open a file with the quarantine flag, Gatekeeper checks the code signature. If it is valid, it asks you if you want to open this file that you downloaded from the web. If the code signature is not valid, or if the file has no code signature, you wont be able to open it.
There are several ways to execute shell scripts downloaded from the internet: 1) Check "Allow all Applications" in System Preferences 2) Right click, select open. Then the warning will have a second option to open it despite being unsigned 3) Execute it from the command line
All of these presumably require the user to know what they are doing...