You can also disable AMFI, the component that enforces signatures and entitlements, altogether, but you have first to disable SIP completely by either booting into Linux of by patching the kernel and then setting the requisite NVRAM variable directly.
(`spctl` does not, in fact, disable it completely.)
Sorry, I mixed up spctl and csrutil. SIP state is stored in an NVRAM variable that is a bitfield of what is allowed. You can't change all bits with csrutil, and you can't set the variable from within macOS, both main and recovery. You have to bypass that mechanism by either patching the macOS kernel to allow setting whatever you want, or booting into an OS that doesn't perform these checks in the first place. And you need to set the bit for IIRC kernel debugging for it to honor the `amfi_get_out_of_my_way` argument.
