it's initially blocked with a "Move to Trash" dialog

but you can go to security prefs and click "allow anyway"

Then try again, click "open" rather than "move to trash" on another warning dialog and the file does get run.

I haven't tried a signed+un-notarized one but it sounds like it'd be similar?

But maybe some other part of the toolchain (Gradle, GraalVM native-image) was implicitly ad-hoc signing it

"This new policy doesn’t apply to translated x86 binaries running under Rosetta"

...I guess that's why.

The whole situation is so confusing. The article talks about how unsigned code won't run on ARM macs, but an ad hoc cert is fine.

I suppose this fits what others have said in the thread - unsigned native-ARM binaries will be completely blocked. Unsigned x86 binaries can run on ARM macs under Rosetta (what I tried... or possibly my bin was signed by the build tool).

But all these will still get block/warnings from Gatekeeper if un-notarized, which is the part you have to pay for.

This https://github.com/Homebrew/homebrew-core/issues/47129 suggests there is yet another factor to consider - the "quarantine" flag. Presumably downloading a tar.gz from github releases via Chrome gets a quarantine flag triggering the Gatekeeper warnings. That Homebrew issue (from 2019 though...) seems to say that "bottles" installed via Homebrew (which is basically the same thing - a precompiled bin downloaded from internet) won't have the quarantine flag set and they just need to be ad-hoc code-signed.