User Profile

You will need to sign the .pkg installer with Developer ID and notarize it in order for it to install on macOS 10.14.5 and newer. The reason why it may have appeared to work locally was that the pkg wasn't quarantined. The recommended QA procedure for installation is to start with a fresh macOS VM instance and use Air Drop or a web browser to download the file into it. Then double click on it like a user would. If it installs and runs properly, you can ship it. DMGs are like zip files -- notarization is not required to open them. However, their contents must be notarized in order to run. You can do one of two approaches: Sign the app, put it in the DMG, sign the DMG, then upload the dmg to be notarized. Zip up the app and notarize the app separately, then put it in a DMG and distribute the DMG without notarizing it When you notarize a DMG, pkg, or bundle, everything inside is automatically unpacked and notarized as well. So you only need to upload the "top level" file for notarizing in a single pass, not the contents separately. You can read a lot more here: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

Please try again, being sure that the "xcrun stapler staple file.dmg" shows success. Then try to open it on another machine. You can test the notarized status of a dmg with "spctl -a -v -t open file.dmg"

That is correct. The workaround to thin binaries is no longer necessary and individual tickets will be generated for all slices of universal binaries. Tickets are being regenerated now for all affected uploads.