Thought experiment for you: is the analogous message for untrusted webpages or emails from "anonymous" sources a good idea for usability?

"'Facebook' has not been verified by a certificate authority and may damage your computer. You should close this window."

"'Bob Smith' may not actually be the author of this message and the contents may be lies. You should delete this email."

The happy outcome there is users learn to ignore both of them inside of a week.

The analogous message for untrusted webpages is "Go ahead, browse, because this is in the sandbox of the browser.".

And, when you type stuff into a textbox and POST it over HTTP, a text box often pops up the first time, saying "This is insecure, fyi".

For text-only emails, it's plenty fine. For emails with images, there's some privacy issues, and for emails with attachments, even more issues.

For the average user that won't check MD5s, saying "This can't be trusted, throw it out" is probably the right idea. There's a lot of history of people telling others their password for a candy bar, so anything that users really want they'll get, scarygram or no.

So is Apple's CA the only way to sign these? Or signing the DMG is a well known process using any cert? Just curious... coz if it's Apple only, then this sounds like payola for being able to run on OS X.

It's free to get a cert from Apple to sign your app, but you have to be a registered developer (which is also free).

Essentially, you have to be a real person who can be identified if they produce malware.

I'm curious how real you have to be... since the easy way around this is to get 10s or 100s of accounts and release multiple versions of your malware.

"untrusted software from an anonymous source"

AKA every single piece of Mac Software you can download outside the MAS today.

Do people really think that every package that is out there is going to be updated with a signature? Or will people download something, run into this prompt, and turn off the setting? I think the latter.