How to correctly entitle and code sign for distribution outside the App Store?

While I can get a simple webextension to load on my development machine, I can't figure out how to package it for distribution. What are the requirements for doing so? I've tried:
  1. Enabling hardened runtime

  2. Clicking the checkbox to allow Apple events.

  3. Removing the "strip" step from the build process to avoid warnings about code signature being invalidated.

  4. Signing both Extension and App with a Developer ID Application certificate.

  5. Notarizing the App.

  6. Exporting the notarized app.

After doing the above, I copy the notarized app to a testing machine. I can then run it. A dialog pops up that says: "Foo extension is currently off. You can turn it on in Safari Extension preferences." But when I click the button to open Safari Extension preferences, the extension is not listed.

What am I doing wrong?

Distribution to end users for Safari Web Extensions is limited to the Mac App Store. You can test Safari Web Extensions distributed with a notarized app by using the Allow Unsigned Extensions option from the Develop Menu.
How to correctly entitle and code sign for distribution outside the App Store?
 
 
Q