DMG is stapled & notarized yet user cannot open in Finder

Hey all. I "Archived" my XCode application, notarized through XCode, exported the .app and used a program create-dmg to generate a DMG for me. I then notarized this using the xcrun notarytool submit Lyric\ Fever\ 1.7.dmg --keychain-profile "notarytoolProfile" command as well as xcrun stapler staple Lyric\ Fever\ 1.7.dmg, both of which passed.

Running syspolicy_check distribution also passes. So does xcrun stapler validate.

This dmg still fails when testing using spctl. spctl -a -t open -vvv --context context:primary-signature Lyric\ Fever\ 1.7.dmg generates the following error:

Lyric Fever 1.7.dmg: rejected
origin=Apple Development: Avi Wadhwa (#######)

Furthermore, I uploaded this dmg to github and redownloaded it. This newly downloaded dmg does not open in finder, prompting the "unidentifier developer, malware" message.

Yet xcrun stapler validate passes, and so does syspolicy_check distribution. I know as per Eskimo's previous posts that this is not the ideal way to test notarization (and setting a macOS vm is the best method), but if I cannot download my own dmg from GitHub then something is clearly wrong.

You signed your disk image with your Apple Development signing identifier. It needs to be signed with your Developer ID Application one.

For specific advice on how to create your disk image, see Packaging Mac software for distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

DMG is stapled & notarized yet user cannot open in Finder
 
 
Q