So I am not sure if this is supposed to happen but applications in '/Applications/' do not appear to be checked by Gatekeeper (As I previously asked and self answered about having to 'reset gatekeeper to default') the many exceptions I had added for various applications are now gone. However applications I know are not signed are still allowed to run.
After a manual check:
I manually checked things because I wanted to be certain that I hadn't made some sort of mistake. spctl says it's rejected but it can still open. Tor Browser shouldn't be allowed to run with my current ruleset that doesn't have a gatekeeper exception and with me only allowing apps from the App Store. If I download the Tor Browser Bundle from the Tor Project's website and try to open it I'm denied. Is gatekeeper not checking apps in /Applications/, or since I've run in the past – is there a separate exception list outside of gatekeeper, if so how would one reset that list as well? (Note: I did a reboot after the reset to default to be safe and the question still remains). Since I reset gatekeeper the apps hash is no longer exempt.
Best Answer
If I remember correctly executables are only checked by Gatekeeper if they have the quarantine filesystem attribute attached. And the quarantine filesystem attribute is (optionally) added by applications which download files from the internet.
So if Gatekeeper is not checking files it could be because the quarantine attribute has already been removed (after a successful check) or because they were downloading using an application that doesn't apply them in the first place (for example I think some torrent applications don't apply them, whereas most if not all web browsers do).
For example I just downloaded Firefox using the Safari web browser so if I run
ls -l@ Firefox\ 54.0.1.dmgto show any attached file system attributes I get the following, which includes the quarantine tag...This is why you see people suggesting removing the quarantine tag as a way to get around the Gatekeeper security prompts.