No, from what I understand this only affects binaries through Gatekeeper. Gatekeeper is “opt-in”—sort of. The way it works is that your web browser has an option “LSFileQuarantineEnabled” set in the bundle, and this makes it so files it creates have the “com.apple.quarantine” extended attribute on them by default. This attribute is propagated when you extract archives. When you open a program with the quarantine bit, you get the Gatekeeper warning.
All MacPorts has to do is either avoid setting the quarantine bit in the first place (easy enough) or remove it. The quarantine bit is nothing more than an xattr called “com.apple.quarantine” which you can inspect or remove with the xattr tool.
The MacPorts .pkg installer is probably the only thing affected, and they should be able to get that signed. (Plus, anyone using MacPorts should be capable of the right-click+open workaround.)
Actually an interesting question: will Apple be happy to sign third party app stores and package managers? Including those that, say, sell apps and take a percentage?
Pretty sure they do. Part of the point is that they can revoke the signature once it’s found to be malware, and likely the signatures for everything associated with that developer account.
They try not to, but it certainly seems like Notarization is more to be able to disable malware after it's detected than preventing it from being signed at all.
All MacPorts has to do is either avoid setting the quarantine bit in the first place (easy enough) or remove it. The quarantine bit is nothing more than an xattr called “com.apple.quarantine” which you can inspect or remove with the xattr tool.
reply