Is it possible to add another public key to SIP? Or an Exception?

[CyBrian]

So I’m sure this is the wrong place to post this — I’m using a real Mac (just with some non-Apple hardware), I have a valid ID for signing packages, and it seems to be more of a development related thing in general, but I don’t know where else to put this.

 

Anyway, it doesn’t feel great to disable System Integrity Protection for good just because I’m using an ExpressCard USB 3 adapter on my MacBook Pro, or even just for kexts, so I was wondering if this is just the wrong approach entirely: SIP and GateKeeper work by verifying the code signature of a bundle. If the code signature is signed or cross-signed by Apple and otherwise is valid (or if there is no signature), the system doesn’t {censored}. If the signature is there, but isn’t signed by Apple it {censored} but not very loudly. And if there is an invalid signature, the system {censored} VERY loudly.

 

So my thought is that instead of whitelisting or disabling signature verification, why can’t I whitelist my own certificate and sign things I install? This is how I sideload open source apps to my iOS device, but it works because a developer can sideload apps they sign. But can’t I add a different key to the valid list? Where is it? Surely someone else thought of this a while ago, so why isn’t it a thing?