I’ve not used macOS in forever but I never had issues with cli binaries installed with Brew or Nix or just manually added to some path. Are they forcing all binaries to be signed now?
For some reason they want to distribute this command line script as a double-click installer which doesn't need to be signed either. Users will simply need to override the "this is untrusted and you shouldn't open this" dialog.
Agreed. It doesn’t seem like there is anything you’d want to do in a binary that couldn’t be done by creating an installer .pkg and just including all the logic in the post install script.
The user gets a double-click “installer”, and like you said, you don’t even need to sign it.
