I noticed jq (installed from Homebrew) has an ad hoc signature and is rejected by spctl but runs fine. I don't remember ever being prompted by my Mac as to whether this binary should be allowed to run.
I repeated the experiment with another binary (aescrypt) downloaded from Homebrew.
Should Gatekeeper prevent these binaries from executing until I intervene?
Is there any online documentation explaining the conditions that allow some binaries that are rejected by spctl and have no signature chain rooted at Apple to execute?
(Or am I just not understanding how to use Gatekeeper and spctl?)
codesign analysis:
% codesign -vvd /opt/homebrew/bin/aescrypt
Executable=/opt/homebrew/Cellar/aescrypt/0.7/bin/aescrypt
Identifier=aescrypt
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=545 flags=0x20002(adhoc,linker-signed) hashes=14+0 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none
And checking spctl analysis:
% spctl --assess -vvv /opt/homebrew/bin/aescrypt
/opt/homebrew/bin/aescrypt: rejected
