Gatekeeper signing for OSX DMGs outside of OSX/XCode/Mac App Store?

Question

From looking at notes for the upcoming OSX version (the one after OSX Lion), it appears that all DMGs/installers need to be signed, even if not distributed via the Mac App store

Answer 1

Signing Disk Images (Source : Apple)

Disk images can be signed using the codesign tool on macOS 10.11.5 and later. This allows the entire disk image to be validated by Gatekeeper the first time it is mounted.

Gatekeeper will validate the contents of the disk image as well.

Disk images should only be signed with your Developer ID Application identity.

On macOS Sierra and later, spctl can be used to assess a disk image's signature, like this:

$ spctl -a -t open --context context:primary-signature -v MyImage.dmg /Users/me/Downloads/MyImage.dmg: accepted source=Developer ID

Note: A disk image signed on OS X 10.11.5 or 10.11.6 may not be able to be re-signed. In this situation, the operation will appear to succeed, but the signature will be invalid. If you encounter this condition, sign a new (unsigned) copy of the image on macOS Sierra or later.