I think I understand notarization:
- It sends binary to Apple
- Apple performs automatic verification
- If verification succeeds, (and perhaps this is the wrong terminology) a Notarization Ticket is stored on Apple's servers
- When an end user goes to use the Notarized Binary, macOS requests a Notarization Ticket for the binary, and if this succeeds, then all is good. This, of course, requires a network connection on the end user's machine when the binary is (first?, always?) accessed. It seems pretty clear from the staple tool that the ticket is cached locally, so while it may be verified every time, it only needs to be downloaded once.
- Stapling is a post-process step that downloads the Notarization Ticket and attaches it to the binary (before distribution) so that the end user's machine can verify the Notarization without a network connection back to Apple being available at all.
As of 10.14.5, kexts MUST be notarized in order to be loaded. Again, it is not clear if this verification is on every load, or only the first load.
Now, you can staple binaries, and you can also staple the flat .pkg that is used to distribute them.
The question that I am unclear on is:
If I package my kext in a flat installer .pkg, and then submit the .pkg for Notarization, the Notarization service notarizes both the .pkg and the kext.
If I staple the .pkg, does the Notarization Ticket that is stapled to the .pkg include the Notarization Ticket for the kext, or does the kext need to be stapled seperately?
If it does need to be stapled seperately, then I would need to rebuild the .pkg after stapling, which would invalidate the Notarization ticket for the .pkg. So that would imply that I would have to re-notarize the pkg, and then staple the pkg.
TLDR:
Is the process (option 1):
- Create kext
- Create pkg
- Notarize pkg
- Staple pkg
or does it have to be (option 2):
- Create kext
- Notarize kext
- Staple kext
- Create pkg
- Notarize pkg
- Staple pkg
Obviously, option 1 is more appealing if it works.