If you use the Installer app the wrong way, it will open an ad-hoc signed package and quietly install apps which don’t get checked by Gatekeeper.
package
Stepping through building it correctly in Xcode, turning it into an Installer package getting it notarized and the ticket stapled to the tool.
How to check whether any Installer package or app has valid certificates, using this new version of Taccy.
Validating signatures isn’t straightforward. GUI apps are limited, and command tools confusing and prone to user error.
Do you use third-party command tools? Are you using or planning to use Catalina? This explains how 10.15 changes first run checks on those tools, and their effect on all users.
Want to check whether an Installer package has been properly notarized? This new version of Taccy will do it for you.
It took 5 apps, 4 command tools in 6 commands, 2 developer certificates and an app-specific password for 260 lines of code.
First there were inodes, aliases, and links. Finder aliases already use the volfs file system, but Apple wants us to switch to its opaque Bookmarks
One of the Finder’s grand illusions, these are standard documents actually composed of a hierarchy of files and folders. Here are some details of common packages.
Here’s how to find out just what that last update installed, so you can remove it manually if necessary.
The Eclectic Light Company 