Apple requires “notarization,” not just code signing. If you code sign your app and don’t “notarize” it, it will refuse to run. Like it will be harder for the end user to run it than if you had not code signed it at all. Submitting for “notarization” requires an Apple developer account with an active paid subscription and payment method. You have to upload it to Apple and wait for it to be approved in an asynchronous process which can sometimes take tens of minutes each time.
you only do that for the final build. It does prevent unscrupulous malware distributors, since there's now a paper trail linking it back to you if you did bad.
Of course, this could be abused by apple to gatekeep, and it doesn't prevent the user from downloading the app and bypassing this security measure (so does not in actual fact stop all malware).
