I have a similar issue with my application.
All work perfectly fine on the latest Mojave version.
I have an application bundle, which has been signed, and notarized. This process went fine, no problem even on Catalina. the spctl command works fine;
This application is packaged in a DMG for distribution purpose. The DMG has been signed using my Developer ID Application certificate with the following command:
% codesign -s "Developer ID Application" --timestamp Hopper-4.5.12-demo.dmg
then the DMG has been sent for notarization, and stapled (I just removed the --username and --password of the first command):
% xcrun altool --notarize-app --primary-bundle-id "com.cryptic-apps.hopper-web-4" --file Hopper-4.5.12-demo.dmg
...
% xcrun stapler staple Hopper-4.5.12-demo.dmg
Processing: /Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
Processing: /Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
The staple and validate action worked!
When I check the final DMG, the signature seems valid:
% codesign -dvvv Hopper-4.5.12-demo.dmg
Executable=/Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
Identifier=Hopper-4.5.12-demo
Format=disk image
CodeDirectory v=20200 size=306 flags=0x0(none) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=700a0162de956bce7163e5b81bbc5fb9c87af48b
CandidateCDHashFull sha256=700a0162de956bce7163e5b81bbc5fb9c87af48bb5039f7a3cef2e657bdc51ba
Hash choices=sha256
CMSDigest=700a0162de956bce7163e5b81bbc5fb9c87af48bb5039f7a3cef2e657bdc51ba
CMSDigestType=2
CDHash=700a0162de956bce7163e5b81bbc5fb9c87af48b
Signature size=8923
Authority=Developer ID Application: Cryptic Apps (2AMA2753NF)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=26 Jun 2019 at 11:36:24
Info.plist=not bound
TeamIdentifier=2AMA2753NF
Sealed Resources=none
Internal requirements count=1 size=180
The stapler validation seems OK too:
% xcrun stapler validate Hopper-4.5.12-demo.dmg
Processing: /Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
The validate action worked!
But I have issues with spctl (the same command works on Mojave):
% spctl --assess --verbose --type open --context "context:primary-signature" Hopper-4.5.12-demo.dmg
Hopper-4.5.12-demo.dmg: rejected
An interesting point is that "--type install" works (??):
% spctl --assess --verbose --ignore-cache --type install Hopper-4.5.12-demo.dmg
Hopper-4.5.12-demo.dmg: accepted
source=Notarized Developer ID
But I have an error if I double-click on the DMG in the Finder on Catalina (it works fine on Mojave)...