For me, it was a combination of not having a correctly configured provisioning profile, and wanting to use iCloud KVS. If you don't sign your code, it runs fine. Apparently, if you sign it incorrectly, but don't ask for certain features, it also runs fine (with gatekeeper turned off).
This is just misinformation. Gatekeeper doesn't enforce entitlements such as the one that allows you to use iCloud KVS. It merely distinguishes between 3 classes of app: (1) those that are code-signed with an app store distribution certificate; (2) those that are code-signed with a developer ID distribution certificate; and (3) all others, which includes apps signed with a developer ID development (personal) certificate, and apps that aren't code-signed at all. Based on that distinction, Gatekeeper does nothing but arbitrate whether the app can be launched at all.
Entitlements are arbitrated by a (non-wildcard) provisioning profile.
For development purposes, you need a profile you create yourself, that identifies the Macs on which the development app can be run. For distribution purposes, you need an Apple-provided profile that is inserted as part of the app store distribution process, that doesn't identify any Macs specifically.
In the first case, usage of the app is limited to the Macs listed in the provisioning profile. In the second case, usage of the app is limited to Macs (users, really) that can download the app from the store.
Code signing doesn't come into this, except as a means of protecting the provisioning profile from being falsified.
On a tangential note. I'd like to use gatekeeper, but there's no way to permanently except/approve an application that I can see (similar to the first run thing). That's a silly design choice, to me.
What does this mean? Are you talking about exempting the app you're developing, or other developers' apps? Why would you "like to use" Gatekeeper, if you want to disable its checks?