I distribute several AppleScript script libraries. Some of them are in .scptd bundle form and encapsulate Objective-C frameworks -- the AppleScript part is essentially a wrapper, providing terminology and some type coercion. This is basically the technique suggested as a replacement for scripting additions.
As of macOS 10.14, these no longer work with Script Editor because it can't load third-party frameworks, but they still work fine in Script Debugger, and in scripts run as standard AppleScript applets or as scripts from run within other applications.
The documents and their contained frameworks have always been distributed unsigned. Most scripters don't have developer accounts, and don't distribute their scripts widely. Some end up including the libraries in their own AppleScript applets, which they may distribute unsigned.
I'm now looking for advice on the correct way to deal with these libraries in macOS 10.15. As it stands, if someone downloads and installs one, they get an error if they try to use it.
The simplest solution form my point of view is to advise users to remove the quarantine attribute from them after they download them, which solves the problem, but for obvious reasons I'd rather not. So I'm looking for advice on a secure approach.
As I said, most users don't have developer accounts and therefore don't sign their code. Where they distribute such scripts, the user can still run them via control-open. But if I were to sign the libraries, I suspect they would lose this ability. (Control-open works where apps have no signature, but not where there's a problem with a signature, and having an app part-signed would seem likely to trigger the latter.)
Complicating matters is that Xcode doesn't seem to want to produce unsigned frameworks anymore anyway. And there's the issue of just how I sign them anyway, if I should.
I'd appreciate any guidance/suggestions.