We have a launchd service, it's installed by our product and can be updated by this product directly. The updated service binary is delivered as a .zip file. We do notarize this zip with the service inside, it works. Now we cannot staple the ticket to the binary since Mach-O stapling is not supported. My understanding is that we don't need to do anything about this and Gatekeeper will take care of everything (i.e. will check notarization status with Apple). Is this correct assumption? Is there anything else we can do make this work better?
Gatekeeper will check for a notarization ticket when your binary is launched if the machine is connected to the internet.
You can't staple a Mach-O at this time, but as Vladimir said, you can staple a pkg. You can also staple disk images, which might be closer to your current workflow with zip files.
If you don't do anything Gatekeeper will display an alert if the user is offline when the binary is launched. If they are online they will download and cache the ticket and the user won't see an alert.
You should have a look at the Notarizing macOS Software article and the WWDC 2019 talk - All About Notarization. These are some great resources and there are more links at the bottom of those pages for more information about notarization.
You can't staple a Mach-O at this time, but as Vladimir said, you can staple a pkg. You can also staple disk images, which might be closer to your current workflow with zip files.
If you don't do anything Gatekeeper will display an alert if the user is offline when the binary is launched. If they are online they will download and cache the ticket and the user won't see an alert.
You should have a look at the Notarizing macOS Software article and the WWDC 2019 talk - All About Notarization. These are some great resources and there are more links at the bottom of those pages for more information about notarization.
 
  
  
  
    
  
