Gatekeeper checks the code-signing information of downloaded items and blocks those that do not adhere to system policies. (For example, it checks that items are signed with a valid developer ID.) For a technical deep dive into Gatekeeper’s internals as well as some of its shortcomings, see (Patrick Wardle’s) talk “Gatekeeper Exposed.”