Notarized and stapled PKG installer rejected by Gatekeeper on macOS Sequoia (Team ID: 3888L7DV3P)

Dear Apple Developer Support,

We are experiencing an issue where our properly signed, notarized, and stapled PKG installer is being blocked by Gatekeeper on macOS Sequoia (15.3), despite passing all notarization checks.

Team ID: 3888L7DV3P Organization: SKY GATE TECHNOLOGYS K.K. Certificate: Developer ID Installer: SKY GATE TECHNOLOGYS K.K. (3888L7DV3P)

Issue Details:

• Our PKG installer is signed with "Developer ID Installer" certificate, notarized (status: Accepted, issues: null), and stapled successfully.
• pkgutil --check-signature confirms: "signed by a developer certificate issued by Apple for distribution" and "Notarization: trusted by the Apple notary service"
• xcrun stapler validate confirms: "The validate action worked!"
• However, spctl --assess --type install returns "rejected" with assessment:verdict = false and assessment:remote = true
• The system log shows: meetsDeveloperIDLegacyAllowedPolicy = 0
• When users download and open the PKG (even from within a notarized DMG), Gatekeeper displays: "Apple could not verify [app] is free of malware"

Notably, our .app bundles signed with "Developer ID Application" (same Team ID) pass Gatekeeper without issues. Only PKG installers are affected.

Our software is a legitimate enterprise security product (VPN/Zero Trust client) distributed to corporate customers.

Could you please:

1. Investigate why our Team ID's PKG installers are being rejected by Gatekeeper's online assessment despite valid notarization
2. Advise on any steps we can take to resolve the meetsDeveloperIDLegacyAllowedPolicy = 0 status for our Team ID
3. Confirm whether there is a trust establishment process for new Developer ID Installer certificates with the Gatekeeper service

Thank you for your assistance.

Best regards, Riku Ogura Skygate Technologies K.K.