How to debug gatekeeper reject, but passing codesign verification

I need step by step instructions to debug why spctl command rejects -- I am on 10.15.7. Appreciate if anyone can shed some light on this with pointer/documentation?

Forcing me to do something on Xcode is not what I am looking for, please.

I am sure with Catalina -- new rules have formed around Gatekeeper spctl command to assess the security posture of the apps installed or developed.

No one wants malware, including hardworking developers :)

Now coming to our app, it gets rejected by spctl -- unknown developer, but codesign passes the app.

sh-3.2

spctl -a -t exec --ignore-cache  -vv /Applications/MyApp.app

====
/Applications/MyApp.app: rejected
origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
=====

sh-3.2

codesign -dvv --strict /Applications/MyApp.app


=====
Executable=/Applications/MyApp.app/Contents/MacOS/MyApp
Identifier=com.MyApp.SubID
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1285 flags=0x10000(runtime) hashes=31+5 location=embedded
Signature size=9134
Authority=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Nov 2, 2020 at .... PM
Info.plist entries=15
TeamIdentifier=MYORGDEVID
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=309
Internal requirements count=1 size=212
====


sh-3.2

codesign -vv --strict  /Applications/MyApp.app

===
/Applications/MyApp.app: valid on disk
/Applications/MyApp.app: satisfies its Designated Requirement
===


Hi.

You will always have an output like

/Applications/MyApp.app: rejected
origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)

until you notarize your application. See e.g. https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

S.
How to debug gatekeeper reject, but passing codesign verification
 
 
Q