[anentropic]

Looks like this explains how: https://www.digicert.com/kb/code-signing/mac-os-codesign-too... but... "only Apple Developer code signing certificates are compatible with GateKeeper"

Does code-signing with an ad hoc certificate and no notarization provide any better experience than just unsigned code?

Do you get a friendlier message (c/f "malicious software: Move to Trash") when Gatekeeper blocks it?

[galad87]

Unsigned (arm64) binaries don't run at all on M1 Macs, so yes, an ad-hoc certificate provides a better experience ;)

[anentropic]

I just tried an unsigned bin on M1 Big Sur and the experience is the same:

it's initially blocked with a "Move to Trash" dialog

but you can go to security prefs and click "allow anyway"

Then try again, click "open" rather than "move to trash" on another warning dialog and the file does get run.

I haven't tried a signed+un-notarized one but it sounds like it'd be similar?

[saagarjha]

I suspect that the code you're trying to run is ad-hoc signed.

[anentropic]

Not by me... and it's my own code build from src in a github action.

[comex]

When targeting ARM macOS, the linker automatically ad-hoc signs everything it outputs. You can check this by running `codesign -dvv` on the binary. Alternately, if your binary is an Intel binary running under Rosetta, those can be unsigned.

[anentropic]

Hmm, it was built on Intel though (GitHub Actions macos runners are only Intel)

But maybe some other part of the toolchain (Gradle, GraalVM native-image) was implicitly ad-hoc signing it