Notarization fails for flat installer package containing notarized app

I am trying to notarize a flat installer package which is built on macOS 10.14.6 as follows. It is a demo installer of our production application.

The .pkg is built using packagesbuild;

/usr/local/bin/packagesbuild "/sourcePath/AppInstallerName.pkgproj"

Included inside the .pkg as part of this build process is our application AppName.app which has been codesigned and notarized (uploaded as AppName.zip and then AppName.app is successfully stapled) at an earlier point in time (i.e. when AppName.app was being built). Note: I've also read (@eskimo's comment on https://developer.apple.com/forums/thread/129024) that having a notarized subcomonent inside the outermost container can be bad so I've tested with an un-notarized Appname.app also, which has the same results as described below.

Running codesign -vv -R="notarized" /appPath/AppName.app on the app results in;

<path>AppName.app: valid on disk
<path>AppName.app: satisfies its Designated Requirement
<path>AppName.app: explicit requirement satisfied

Running codesign -vv -R="notarized" /appPath/AppName.app/Contents/MacOS/AppName on the executable results in;

<path>AppName.app: valid on disk
<path>AppName.app: satisfies its Designated Requirement
<path>AppName.app: explicit requirement satisfied

Running spctl --assess --verbose <path>AppName.app on the app results in;

<path>AppName.app: accepted
source=Notarized Developer ID

The .pkg is then signed using productsign;

/usr/bin/productsign --sign "Developer ID Installer: companyName (companyId)" "/sourcePath/build/AppInstallerName.pkg" "/targetPath/AppInstallerName.pkg"

Note: this is the first time we are using this new Developer ID Installer certificate.

Running pkgutil --check-signature "/targetPath/AppInstallerName.pkg" on the package results in (XX's used to redact real SHA1 fingerprints);

Package "AppInstallerName.pkg":
  Status: signed by a certificate trusted by Mac OS X
  Certificate Chain:
  1. Developer ID Installer: companyName (companyId)
    SHA1 fingerprint: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
    -----------------------------------------------------------------------------
  2. Developer ID Certification Authority
    SHA1 fingerprint: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
    -----------------------------------------------------------------------------
  3. Apple Root CA
    SHA1 fingerprint: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX

I then try to notarize AppInstallerName.pkg by running xcrun altool --notarize-app --primary-bundle-id au.com.companyName.AppInstallerName --username userName@companyName.com.au --password @keychain:altool --asc-provider companyId --file /targetPath/AppInstallerName.pkg which results in;

No errors uploading 'AppInstallerName.pkg'.
RequestUUID = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Eventually notarization fails and the log shows;

{
  "logFormatVersion": 1,
  "jobId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "AppInstallerName.pkg",
  "uploadDate": "2023-02-09T03:57:37Z",
  "sha256": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "AppInstallerName.pkg/Application.pkg Contents/Payload/Applications/AppInstallerName/AppName.app/Contents/MacOS/AppName",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "AppInstallerName.pkg/Application.pkg Contents/Payload/Applications/AppInstallerName/AppName.app/Contents/MacOS/AppName",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "arm64"
    }
  ]
}

I have read various Apple documentation, forum posts (here and elsewhere, thanks for the help getting this far @eskimo :) ), archives and anything else I could find on notarization, notarization errors, code signing, etc. but I am stuck on this and have no more ideas on what I can do to fix the issue. Any help would be greatly appreciated.

Note: We have been able to successfully notarize 4 other applications (AppName, AppNameClient, AppNameServer & AppNameFullInstaller) but none of these use the flat installer package infrastructure. The AppNameFullInstaller is just another application we build to mimic a macOS installer so it doesn't use packagesbuild or productsign. Is it possible that having a codesigned app inside a productsigned installer is the cause? If so, how would I go about resolving that?

As I am writing this I found another article where @eskimo suggested having a notarized "object"

You’re building your installer package using a third-party tool. Does the problem reproduce if you build it using Apple’s tools?

You don’t need to build something production ready here; just use our tools to create a package you can test against the notary service. There’s a simple command for doing that in Packaging Mac Software for Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Notarization fails for flat installer package containing notarized app
 
 
Q