This is an entirely separate system that tracks known malware and enforces a deny list policy. You're thinking of notarization and code signing, which is an allow list policy that you're allowed to circumvent. If you don't get your app signed and notarized you at least can still run it if your users are willing to trust you. It's annoying for technical users but fine for the average folk that really shouldn't be installing random FOSS tools they've never heard of before.
Why shouldn't average folk be installing random FOSS tools they've never heard of before? Some are great. It's ridiculous that anything can be installed from the Mac App Store by anyone where there are apps a plenty trying to trick you into some horrid weekly $60 subscription to even use the "free" app but actually useful, trusted and free FOSS apps are positioned as harmful. But hey, Apple gets their cut...
is this actually happening? I download directly whenever possible so the dev doesn't have to pay commission to Apple and I've never had a download blocked.
EDIT: I see from the comments I wasn't adequately clear: yes, I get the notification but it's hardly a "block" as the the comment I was replying to said. It is by design trivial to bypass.
The Gatekeeper checks still apply to direct downloads. If you don't get a warning (that's intentionally a little difficult to bypass), the dev still signed and notarized the binary via Apple.
You get a warning popup and the application is blocked from running if it is not signed by an Apple Developer Account ($100/yr) and countersigned (i.e., notarized) by Apple.
This is separate from the 30% App Store commission.
I edited my comment to point out that Apple made it pretty trivial to run such an app. It just calls your attention to a drive by download of an executable (though I do wonder how many people try to run such things)
You should get a pop up asking if you want to launch the app or need to go into system settings to approve it. It’s a minor speed bump and is probably for the best for non-savvy users.
I get various degrees of warning for reasons I don't know: "the developer cannot be identified" can be bypassed via right-click open but some app get a worse warning like "this app is malware" or "this app is damaged and cannot be opened". For those I need to de-quarantine them with a xattr command.
For example, try installing librewolf via homebrew.
It's not really a "warning". It's an alert that says macOS will not open this app. You _have_ to open it via Finder and Control-click + Open or there's no way to get into the program. The first alert does not tell you how to do this, and other methods of launching (e.g. Launchpad) cannot be made to work.
So unless you know Apple's secret knock, it's functionally blocked.
It's hardly a secret knock. Both the linked help article and the system help both tell you step by step what to do and I don't have an app handy to trigger the dialog, but last I looked the dialog while it didn't give you the steps there has a link directly to the system help with the instructions.
Trust me - outside of the HN technical crowd - people get very confused or scared by this and do not know how to proceed. It's a non-starter for most software aimed at the 'everyday user' crowd (I've seen the bug reports and customer complaints first hand).
It is actually blocked. The program is prevented from launching. You can go into the security settings and approve it and then relaunch it (which last I saw, the error message didn't even tell you how to do anymore), but it's not just a "approve/deny?" skippable screen.
By that same logic, non-hsts SSL certificate expiration warnings are browsers "blocking" you from visiting a website, despite the buttons that allow you to bypass it.
In Chrome, it's even more complicated. You have to click the very small "More/Advanced Settings" text which doesn't even really look like a button. After that, a button allowing you to proceed appears, but upon clicking you are given a very scary warning.
It's not the same. In the SSL case the browser gives you a bypass button, which is fine (if hidden). Here, there is no bypass button unless you have the secret knowledge to open the app in a certain way.
Otherwise the OS entirely refuses to open the app with no bypass button or hint as to how to get around it, while implying "security issues" and "untrustworthiness"
For certain cert errors in Chrome, there is no button/link to ignore and continue. You actually have to type "thisisunsafe" into the tab. There is no feedback when you are typing this. It will just navigate to the page you were trying to reach as soon as you finish typing.
> A warning dialog is different than being "blocked" as OP suggested
you'd see how many times I've seen users blocked with the "default" dialog you get on first download when things are correctly signed and notarized ... and let's not even talk about the one you get when notarization failed or it's not signed, elderly users really don't know that they have to right-click
