checks the signed hash of the application against the current hash and keeps the application from starting if it differs because obviously something altered the application.
You can override this and it will not ask you again.
You can configure which kind of signature to accept: Only App-Store Applications or any registered developer.
Or you can switch it off completely, which is stupid.
What you mentioned are the file-quarantine extended attributes that are set by Safari et al if a file has been downloaded from the net.
On the initial run of a quarantined binary this enforces verifying the users intention and a check against a list of known malware.
Files from some known well-known applications are quarantined per default or developers can turn this feature on for their application.
This is a measure against unintentional execution of unknown binaries (drive-by-download?) and - again - it can be disabled.