I think this is the OS-level signature verification; so the OS (possibly with nudging) will still allow you to _run_ the binary, but won't say "this is from FooCorp" and may nag the user on startup "this is a potentially untrustworthy binary"