Will do.

That resolved it. Thanks!

Good. This is the behavior I was hoping for. I'm using a content filter provider for macOS, so I am using the System Extension approach.

I had not appreciated all the nuances surrounding the tightening down what had originally been a fairly open system. I can imagine there are a lot of edge cases surrounding legacy code, code running in isolated networks, running open source code downloaded from the network, etc. (Part of me would like something like iPhone's Lockdown mode for my Mac.)

Thanks. Bummer about ES sysex having to be deployed independently. I really like the Mac App Store for a variety of reasons, including for software updates. Now, I will have to investigate Sparkle or other software update mechanisms.

Thanks!

Thanks. I suspected that might be the case with signing IDs. I was hoping there was an easy way to translated Team IDs to human readable names for the organizations (see additional reply for more examples).

Perfect! I want to duplicate codesign -dv <path> So it looks like SecCode and SecStaticCode should do the trick. I'll start researching those.

A note of warning: I booted back into Monterey (I have both Monterey and Ventura beta in different volumes on the same Mac), and amfi_get_out_of_my_way setting of 0x1 is set there too. That is, setting amfi_get_out_of_my_way in Ventura affects Monterey (same Mac, different volumes). Before leaving Ventura and booting back into Monterey, I now set amfi_get_out_of_my_way to 0x0. Hopefully that keeps Monterey protected when I am working in that OS.

Thanks! sudo nvram boot-args="amfi_get_out_of_my_way=0x1" did the trick.