Code signing is about identifying who created code and resources and that they have not been modified by an unauthorized third party—nothing more and nothing less.
The code signing mechanism wraps executable images and resources, using a cryptographic seal, so that they can be reliably recognized, and any modifications made after the items are sealed can be detected.
Since code is signed, and it could be signed by anybody, the code signing mechanism also needs some way to know who signed the code.
In a nutshell, the code signing mechanism takes our developer identity (which resides in our Keychain), combines it with our final App code bundle, and produces signed code. The important thing about signed code is that it does not change. It is this signed code that we deliver to the end user. We can deliver the signed code to the end user via the Mac App store, via direct download, on a USB dongle, on a CD or DVD. The method of delivery is not important, it is only the fact...