[glhaynes]

Ah, thanks for clarifying. I suppose it wouldn't have execute permissions if downloaded from a browser, but it could if copied with Finder from a network share (or directly accessed, of course), so that sounds like a potential vector.

[noondip]

It is a lot easier than you may think. Here is a simple demonstration: https://vid.me/gGQY

[jakobegger]

This is bullshit. If you actually put that disk image on a web server, and then download it, you'll get the unidentified developer warning and you can't run the script (there will be no button to open it).

Gatekeeper and code signing work hand-in-hand. You can run any unsigned code you want, as long as you didn't download it from the web. For example, gatekeeper won't prevent you from running usigned code you compiled yourself, or from running code you installed using a package manager.

OS X is smart enough to know that a shell script is equivalent to an application. You can't fool Gatekeeper quite that easily.

[glhaynes]

Oh, yeah, I should've thought about dmgs. Yikes... that seems "not OK"; but if they made shell scripts require signing I imagine that'd probably break lots of stuff.