Yes, you can notarize command tools. Doing so ensures independent approval that the code isn’t malicious, and disapproval, letting macOS block code with revoked certificates or notarization.
Mach-O
They now get signed, an Info.plist is embedded, they’re notarized by Apple, use the hardened runtime, maybe the App Sandbox, and request entitlements. So how do you check their version?
Where to see them, how they’re constructed, Apple’s rules, how they are created, and how even Apple doesn’t use them according to its own rules.
Discovering what has been updated in a macOS update isn’t easy. In the case of command tools, it’s just impossible.
Look forward to Universal Apps, which will show how well Apple Silicon Macs perform. There’s a lot of history buried in them too.
Can you strip all Intel executables from a Universal App to make it even smaller? What benefits might there be in building an app for Big Sur only?
Will stripping executable code for an unwanted platform stop an app from working? What savings are to be gained?
Apple gave us a big clue in the command tool lipo, which underwent complete overhaul in Mojave – a clear signpost of where it is heading.
How can you tell whether an app on your Mac is a Universal App, or only support Intel processors?
From launch, through security checks, TCC and privacy, RunningBoard, to memory management and the Main Event Loop. A comprehensive summary.
The Eclectic Light Company 