from what I understand the OS verifies the developer signature but I don't know the exact mechanisms