It seems like something changed in the notarization in the last few days. I'm running the same build script that creates and notarize a DMG that contains a PKG with 4 plugins. Everything is signed correctly. No error anywhere in the notarization process. Checking the status of the notarization, I get this: Status: success Status Code: 0 Status Message: Package Approved Stapling returns this: The staple and validate action worked! Yet, if I check the PKG inside with this command: spctl -a -vvv -t install I get this output: .pkg: rejected source=Unnotarized Developer ID origin=Developer ID Installer: My Company This project was perfectly working a few weeks ago, and we have not changed a thing. Checking the notarization log, the only issue I see is this: "issues": [ { "severity": "warning", "code": null, "path": "Archive.dmg/Installer.pkg", "message": "This archive is corrupt, and cannot be unpacked for analysis.", "docUrl": null, "architecture": null } ] But this warning is also present in past DMG/PKG thatare notarized and work as they should. Another difference from previous logs is that I can only see one item in ticketContents, which is the DMG, while previously I could see two, both the DMG and the PKG.