From looking at notes for the upcoming OSX version (the one after OSX Lion), it appears that all DMGs/installers need to be signed, even if not distributed via the Mac App store.
I couldn't find a command-line tool to do this signing though, or much documentation about obtaining a signing cert without submitting to the App Store.
Can someone shed light on: 1) How to obtain a certificate without distributing you app via the Mac App Store? 2) How to sign a DMG without using built-in XCode tools (preferable a cross-platform tool)?
Thanks!
Codesigning is described in detail here and here - basically you need to obtain a cert and then you can sign your application... AFAIK there is currently no official docs on signing the DMG itself. As for your second question (cross-platform signing) there no such tool available (at least none that is officially supported by Apple). As for information regarding future OS X version(s) I highly recommend asking on the proper Apple-Forums (usually there are also forums for NDA-related things).