macOS binary triggers Gatekeeper warning when double-clicked from Finder

Problem

Users who double-click the miren binary from Finder see a scary Gatekeeper warning: "Apple could not verify 'miren' is free of malware" - even though the binary is properly code-signed and notarized.

This only affects double-clicking from Finder. Running the binary from Terminal works fine with no warnings, which is the expected usage for a CLI tool. This is essentially a cosmetic issue, though the error message looks alarming.

Root Cause

The binary IS correctly signed (Developer ID) and notarized (ticket exists in Apple's servers). The issue is that Gatekeeper handles bare Mach-O binaries differently than .app bundles when launched from Finder:

• spctl --assess --type install → accepted (Notarized Developer ID) ✓
• spctl --assess --type execute → rejected ("does not seem to be an app")

Bare binaries cannot have notarization tickets stapled to them, so Gatekeeper's Finder integration shows the warning even though the online notarization check would pass.

Proposed Solutions

1. Distribute as .pkg installer (recommended) - Can be stapled, standard install UX
2. Distribute as .dmg - Can be stapled, familiar drag-to-install UX
3. Wrap in minimal .app bundle - Gatekeeper handles these properly
4. Document the Terminal usage - Least effort, already the expected workflow

References

• CDHash: 806b7da3ab5cc7f498c50a0d6cdcc1451a0d3fed
• Signing identity: Developer ID Application: Evan Phoenix (H92P352URR)
• Workflow: .github/workflows/release.yml (lines 249-315)