Yes, you can notarize command tools. Doing so ensures independent approval that the code isn’t malicious, and disapproval, letting macOS block code with revoked certificates or notarization.
signature
It’s well over 4 years since Apple introduced notarization, but many executables still aren’t properly signed, and require the user to bypass Gatekeeper.
Download some vital free software, mount its disk image, run the Installer package there – but why does Ventura refuse to install it, and what you do?
What and where is the Gatekeeper app or service? The answer is that it’s a collaborative system or technology to check apps and ensure that only trusted software is run.
Checks on app signatures and notarization of notarized apps will be performed each time they’re run. How to deal with problems, and what not to do.
GUI software and the commands you need to get the signature of an app checked thoroughly by macOS, plus a detailed list of error code.
They now get signed, an Info.plist is embedded, they’re notarized by Apple, use the hardened runtime, maybe the App Sandbox, and request entitlements. So how do you check their version?
Is macOS going to be like iOS? Not in Ventura, where notarization is improved with additional security checks. Here are the details.
App signatures are about more than just the certificate. That provides a chain of trust going back to Apple, and supports integrity checks and entitlements.
There have been changes to the way that macOS 12 checks executable code when asked to run it. Summarised in a diagram.
The Eclectic Light Company 