I considered that. The approach I'm taking was inspired by the way that Chrome creates app bundles for PWAs.
> What happens when someone publishes some malware application using their wrapped and noterized installer
The installer application simply installs the app. It doesn't in itself run any of the app's code. The installed app doesn't need to be codesigned and notarized like it would if you had just downloaded it from in your web browser.
This works fine for many cases. A limitation is that apps built in this way can't be submitted to the app store. For that you would use jpackage or similar. But in most cases, this strategy is fine - and even better since it includes things like auto-updates.
>The installer application simply installs the app. It doesn't in itself run any of the app's code. The installed app doesn't need to be codesigned and notarized
Wait, then doesn't that mean Apple's intent there is broken? I mean if you can bypass its controls on installing unsigned apps by merely wrapping an unsigned (possibly malicious) app in a signed installer, then what's the point?
Very naive question but is it different from what npm, pip, etc. let you do already? Does the app installed this way get more permissions coming from a signed installer? I'm not familiar with OSX security model.
> Very naive question but is it different from what npm, pip, etc. let you do already?
npm, pip, etc.. are CLI install tools. jDeploy supports CLI app distribution using npm also. But the key difference is that jDeploy provides double-clickable installers for the apps. If you're distributing a desktop app, it should be installable in the desktop (IMO). Making users go to the command-line to install the app is actually prohibitive for the average user. Even when your userbase is programmers, I find that making them go into the command-line loses them.
> Does the app installed this way get more permissions coming from a signed installer? I'm not familiar with OSX security model.
Since Catalina, you can't download and run a Mac app in any form unless it is signed and notarized. Using the signed and notarized installer allows you to get around this limitation.
> What happens when someone publishes some malware application using their wrapped and noterized installer
The installer application simply installs the app. It doesn't in itself run any of the app's code. The installed app doesn't need to be codesigned and notarized like it would if you had just downloaded it from in your web browser.
This works fine for many cases. A limitation is that apps built in this way can't be submitted to the app store. For that you would use jpackage or similar. But in most cases, this strategy is fine - and even better since it includes things like auto-updates.