I am helping a client package a legacy Adobe AIR application as a standalone application. The AIR compiler outputs a .app application bundle. After compiling an unsigned application bundle, I figured I might as well try sending it to the client to potentially look at while I was researching how to package the app bundle into a DMG.
I simply zipped up the bundle and sent that to the client. I expected Gatekeeper to reject the app, but the client reported they were able to run it with no issues. I haven't yet heard back on exactly what version of macOS they are using, but they mentioned it has the M1 processor, so it must be fairly recent.
From what I've read about Gatekeeper, it sounds like this should have triggered all the red flags. It was an application they downloaded from the internet (not through the App Store), which isn't notarized by Apple or even signed at all. I checked with the codesign utility to verify that the application bundle is completely unsigned.
I've read that Gatekeeper is not triggered when applications are launched from the command line, but I'm sure the client didn't launch the application from the command line. Does it not check application bundles that were extracted from zip files? Or is there something else I'm missing?
Well, this turned out to be simple - the client had previously disabled Gatekeeper through the terminal for the purposes of testing another application, and had forgotten to re-enable it.