I haven't gotten to try it to confirm but I'm having trouble imagining why an unsigned .app bundle containing a binary executable would get the code-signing error but one containing a script wouldn't. Is that in fact the case?
Sorry for not making this more clear. Create a shell script with the exploit, then remove the .sh extension. You can edit the icon to make it appear as any application and when double-clicked it will open and run in Terminal.app.
Ah, thanks for clarifying. I suppose it wouldn't have execute permissions if downloaded from a browser, but it could if copied with Finder from a network share (or directly accessed, of course), so that sounds like a potential vector.
This is bullshit. If you actually put that disk image on a web server, and then download it, you'll get the unidentified developer warning and you can't run the script (there will be no button to open it).
Gatekeeper and code signing work hand-in-hand. You can run any unsigned code you want, as long as you didn't download it from the web. For example, gatekeeper won't prevent you from running usigned code you compiled yourself, or from running code you installed using a package manager.
OS X is smart enough to know that a shell script is equivalent to an application. You can't fool Gatekeeper quite that easily.
Oh, yeah, I should've thought about dmgs. Yikes... that seems "not OK"; but if they made shell scripts require signing I imagine that'd probably break lots of stuff.
