Comment 3 for bug 243850

I don't think a command line tool would be a problem, it's easy to run it using NSTask.

The initial reason that code signers don't have to do double work is not true, because what should be signed is the downloaded archive/disk image/package, not the bundle (an installer can be just as malicious, if not more so, than an app).