It's used as part of Gatekeeper for software downloaded from the internet.

See https://developer.apple.com/documentation/security/notarizin... for the notarisation process and https://support.apple.com/en-us/HT202491 for the customer-facing documentation, which includes how to work around it when needed.

Gatekeeper can be totally disabled via sudo spctl --master-disable.

I see. That's a pretty developer-hostile measure. Luckily, I don't intend to ever ship any software to Macs, so it's not a problem to me. If I did want to ship a Mac version of any tool I'd write, I'd pretty hesitant to jump through Apple's hoops, so I can understand why developers don't want to notarize their stuff.

For Windows, distribution without signing isn't exactly painless either, and the signing certificates for that are quite expensive.

And there, it's not even deterministic, see https://www.digicert.com/dc/blog/ms-smartscreen-application-...

The goal of the system is to authenticate which developer made a given piece of software, to be able to track the spread of malware. An option is always given for a user to opt-out.

> Gatekeeper can be totally disabled via sudo spctl --master-disable.

If you had to do this on Linux to run software that wasn't notarized by Red Hat, HN posters would write about how unfriendly and developer hostile Linux is.