To provide a concrete example, I created a HelloWorld command-line program, ran
xcodebuild clean install
packaged it and sent it for notarization. The app had my Developer ID, TeamIdentifier, and a Signed Time.
$ codesign -dvvv --entitlements :- HelloWorld.dst/usr/local/bin/HelloWorld
Executable=/private/tmp/HelloWorld.dst/usr/local/bin/HelloWorld
Identifier=HelloWorld
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=406 flags=0x10000(runtime) hashes=4+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=946e6b1e139852546e7d3624b107c842c4f0522c
CandidateCDHashFull sha256=946e6b1e139852546e7d3624b107c842c4f0522c26f2dba7aea8b93c668f9f8d
Hash choices=sha256
CMSDigest=946e6b1e139852546e7d3624b107c842c4f0522c26f2dba7aea8b93c668f9f8d
CMSDigestType=2
CDHash=946e6b1e139852546e7d3624b107c842c4f0522c
Signature size=4736
Authority=Apple Development: XXXX XXXXXXX (XXXXXXXXXX)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Feb 5, 2020 at 3:49:08 PM
Info.plist=not bound
TeamIdentifier=XXXXXXXXX
Runtime Version=10.15.0
Sealed Resources=none
Internal requirements count=1 size=176
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict/>
</plist>
And here is the Notarization error log
{
"logFormatVersion": 1,
"jobId": "909e8ba7-4df5-4120-b35a-c4c0b21e921b",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "HelloWorld.pkg",
"uploadDate": "2020-02-05T23:54:48Z",
"sha256": "d6cc95c1e32bb038b654aea96b683a6f0e704d72b530187ea6fa081276635235",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "HelloWorld.pkg/HelloWorld.pkg Contents/Payload/usr/local/bin/HelloWorld",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "HelloWorld.pkg/HelloWorld.pkg Contents/Payload/usr/local/bin/HelloWorld",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
}
]
}