Possibly a naive question but I don’t know where else to start looking, so:
macOS by default prevents running binaries downloaded from the internet unless they were signed from a known authority. How is nix able to provide binaries that don’t trigger Gatekeeper warnings?
I’ve received a fantastic answer: According to the flowchart in this article, unsigned software on Intel chips just runs (and software on ARM just runs so long as it has any signature). An Apple Developer ID is not required to distribute apps.
On a related note, some apps (e.g. Safari) will add the
com.apple.quarantine extended attribute which incurs a misleading warning dialog stating “cannot be opened because the developer cannot be verified”.