If my colleague and I use the same signed app and I send him the script I wrote via email, then would this script need to be signed and notarized?
There are a lot of interrelated concepts in play here:
Code signing can sign shell scripts. However, that signature ends up being stored in an extended attribute. This is quite brittle.
Due to the way that notarisation is implemented, it’s not possible to notarise a shell script.
Gatekeeper is not invoked when you run a quarantined shell script from the shell within Terminal.
Gatekeeper is invoked when you double click a quarantined shell script in the Finder and it opens in Terminal. However, it runs the open-an-executable-document code path, which behaves very differently from the run-an-executable code path.
When you embed a shell script within an app, you should embed it as data, not code. This is a bit odd — it’s reasonable to consider a shell script to be code — but there you go.
However, that advice doesn’t apply to your case. Here the shell script is more like an executable document. Gatekeeper has a mechanism for dealing with those, and if you actually want to tackle this problem then that’s what you should look into.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"