On macOS Ventura and later, every launchd agent surfaces in System Settings → Login Items. When an agent’s ProgramArguments[0] is /bin/sh and the binary isn’t codesigned by an identified developer, macOS displays it as “sh from unidentified developer.” The AssociatedBundleIdentifiers plist key tells macOS which app to attribute the agent to, fixing the display.
Nix - Home Manager wraps launchd agents in /bin/sh -c "/bin/wait4path /nix/store && exec <binary>" to block until the Nix store is mounted at boot. This is the correct pattern: the alternative, KeepAlive.PathState, causes launchd to penalize the service when the path isn’t available at launch time. The cost is that every Home Manager agent shows as “sh” in Login Items, which is both ugly and confusing (a user might read “unidentified developer” as malware).
The fix is to set AssociatedBundleIdentifiers per-agent. Home Manager’s launchd module declares freeformType = attrsOf anything, so arbitrary plist keys are accepted without upstream changes. Two patterns: real apps get their own bundle ID, CLI tools get associated with a parent app (typically the terminal):
# Real app bundle
launchd.agents.aerospace.config.AssociatedBundleIdentifiers = "bobko.aerospace";
# CLI tool, associate with parent app
launchd.agents.atuin-daemon.config.AssociatedBundleIdentifiers = "com.mitchellh.ghostty";The key accepts a string or an array of strings, and the bundle must be installed on the system; otherwise macOS may still show “unidentified developer.” After changing plists, the cached BTM database needs resetting with sudo sfltool resetbtm followed by a reboot. Caveat: that command also clears “Open at Login” items, which don’t auto-restore; dump first with sudo sfltool dumpbtm > ~/Documents/btmdump.txt.
This is a presentation fix only, not a codesigning or Gatekeeper change. Linux’s systemd user services don’t surface in the OS UI the same way, so the issue is Darwin-specific. See macOS Hostname Layers for another configd-area Darwin quirk that surfaces in System Settings.