No, from what I understand this only affects binaries through Gatekeeper. Gatekeeper is “opt-in”—sort of. The way it works is that your web browser has an option “LSFileQuarantineEnabled” set in the bundle, and this makes it so files it creates have the “com.apple.quarantine” extended attribute on them by default. This attribute is propagated when you extract archives. When you open a program with the quarantine bit, you get the Gatekeeper warning.
All MacPorts has to do is either avoid setting the quarantine bit in the first place (easy enough) or remove it. The quarantine bit is nothing more than an xattr called “com.apple.quarantine” which you can inspect or remove with the xattr tool.
The MacPorts .pkg installer is probably the only thing affected, and they should be able to get that signed. (Plus, anyone using MacPorts should be capable of the right-click+open workaround.)
Actually an interesting question: will Apple be happy to sign third party app stores and package managers? Including those that, say, sell apps and take a percentage?
Pretty sure they do. Part of the point is that they can revoke the signature once it’s found to be malware, and likely the signatures for everything associated with that developer account.
They try not to, but it certainly seems like Notarization is more to be able to disable malware after it's detected than preventing it from being signed at all.
> The MacPorts installer pkg will need to be submitted, but I don't think much else will change. Using MacPorts-built kernel extensions is already impossible because of signing requirements (we don't have a kext signing certificate and I don't think we qualify for one.)
> For general apps, Gatekeeper doesn't prevent running locally built ones due to them being unsigned, and I gather than notarization is only required in the same circumstances as signing. (It would be incredibly inconvenient for developers to test anything if this were not the case.)
> * For 10.14 users: The pkg meets Apple's new requirements for notarization. This includes enabling the hardened runtime for all executables, which has the potential to cause new issues due to denying access to certain system resources and preventing the loading of unsigned plugins. Please let us know about any such problems.
MacPorts .pkg installers are notarized since 2.6.0.
I was concerned MacPorts would stop working on my computer. I don't plan on publishing apps for Mac, but I depend on apps others publish.
reply