Oops, you are right, "Block" does the thing well. But "Ask" doesn't work, and "Ask" is what I need. How make "ask" work on a file with digital signature?
The only option left would be to use D+ in paranoid mode without switching back to the other modes that make use of safelisted auto-learning.
This way it is possible to initially configure the policy for many applications in other modes and then apply additional changes in paranoid mode.
In paranoid mode it is still mentioned if an app is safelisted, so it would be possible to also create custom predefined policies and assign them to any application regardless if safelisted.
This way it is possible to choose how many additional alerts safelisted apps are going to trigger as soon an alert is displayed.
Installing some new trusted application can be addressed using Treat as Installer or updater as usual, whereas it would be reasonable to not use that option for unknown applications.
Some members also prefer to temporarily switch to an alternate configuration with CleanPC mode enabled when they are installing new apps.
This will allow them to monitor what files are created during an installation (in cleanpc mode the pending file list is updated automatically and list all unknown/non-safelisted files)
As policy changes and settings are stored in the active configuration, switching configurations will not retain policy changes and in those cases it is only meant to have the installers to work seamlessly.