Hey all. I "Archived" my XCode application, notarized through XCode, exported the .app and used a program create-dmg to generate a DMG for me. I then notarized this using the xcrun notarytool submit Lyric\ Fever\ 1.7.dmg --keychain-profile "notarytoolProfile" command as well as xcrun stapler staple Lyric\ Fever\ 1.7.dmg, both of which passed.
Running syspolicy_check distribution also passes. So does xcrun stapler validate.
This dmg still fails when testing using spctl. spctl -a -t open -vvv --context context:primary-signature Lyric\ Fever\ 1.7.dmg generates the following error:
Lyric Fever 1.7.dmg: rejected
origin=Apple Development: Avi Wadhwa (#######)
Furthermore, I uploaded this dmg to github and redownloaded it. This newly downloaded dmg does not open in finder, prompting the "unidentifier developer, malware" message.
Yet xcrun stapler validate passes, and so does syspolicy_check distribution. I know as per Eskimo's previous posts that this is not the ideal way to test notarization (and setting a macOS vm is the best method), but if I cannot download my own dmg from GitHub then something is clearly wrong.