Hello, we have a bunch of codesigned and notarized applications that are distributed as pkg and dmg but for the first time I faced situation when application downloads a zip archive from the server and unzipps a single binary file that is used like a module with command line interface. This binary of course has to be signed I'm trying to figure out if we have to notarize it too. Obviously I can't just upload binary without any container, I tried to zip it before sending but no luck. /Applications/Xcode.app/Contents/Developer/usr/bin/altool --notarize-app --primary-bundle-id "id" --username "email" --password "@keychain:AC_PASSWORD" --file ./archive.ZIP --output-format "xml" --asc-provider "company" resulted into [Step 1/1] <key>notarization-info</key> [Step 1/1] <dict> [Step 1/1] <key>Date</key> [Step 1/1] <date>2022-12-02T15:50:48Z</date> ... [Step 1/1] <key>Status</key> [Step 1/1] <string>invalid</string> So I wonder maybe with this weird way of distribution just signing is enough? I mean I can put it inside the pkg and notarize but I can't staple a ticket to the binary anyway...