I can't find any other posts that quite match my experience and I've tried all the suggestions I could find in any post that seemed to contain clues. I can notarize (and staple) my app without any problem. It's an Adobe AIR captive runtime app that contains nested files: WebKit.dylib, A2712Enabler, FlashPlayer-10.6.
Then I try to make a flat installer package but when notarizing the package it gives these reasons for failure on those files:
The binary is not signed
The signature does not include a secure timestamp
The executable does not have the hardened runtime enabled
As a test I've tried building a package again containing the exact original app that was packaged and notarized successfully in 2019. I've tried making a new app and code signing that (separately trying the deep option and inside out) and this notarization of the app itself always works fine (and verifies ok after stapling). But in all cases, notarizing the packaged version fails with the same error log as above.
The payload for the package is the notarized, stapled app plus a readme text file and a folder or two of xml, text and other non-app files. It's only an xml config file in a subfolder that I need to change for this release.
Applications/My App
Config folder
My App.app
ReadMe.txt
Templates folder
I used a tool called Packages to build the flat .pkg file and at first simply opened the original project file. It is set to use my installer certificate and to get a timestamp. Afterwards I also tried setting up a new project. One puzzle is that using the pkgutil --check-signature shows status as signed by a certificate trusted by Mac OSX but does not show the message "signed with a trusted timestamp". However the original (successfully notarized) 2019 package does show this message when checking the signature. I haven't tried uploading the original package again for notarization .. it might be a useful test but I'm not sure if that will break things.
I've also tried setting Packages to stop using my certificate to just build an unsigned package. Then I signed it using productsign from the command line. The output shows it signing and using a timestamp authority. But pkgutil --check-signature still doesn't show the message "signed with a trusted timestamp".
The Developer ID Installer certificate seems OK in the keychain and has over a year left to go till expiry.
The Mac I'm using is running Mojave and Xcode 11.3.1
Any help or pointers will be much appreciated.
Well, it turns out that switching to another Mac (Big Sur, Xcode 13) did the trick. Exported the certificate and copied that to the new Mac with the Packages project file plus the app itself that I could still successfully sign and notarise on the old Mac. Built and signed the pkg using Packages and notarised it with altool.
Very frustrating few days of messing around which I could have avoided if I just switched to the other Mac sooner.