User Profile

Hello,I am the author of xcnotary, an open source tool to help developers automate their notarization workflow. I wanted to clarify the following behavior to make sure I'm providing users with correct instructions.I can see that the notarization service inspects the content inside .pkg/.dmg submissions. For example, if I attempt to notarize a signed package containing an improperly signed .app bundle, the service correctly fails.The service does also appear to notarize the enclosed bundle (checked using "spctl -a -t exec -v"). However, the bundle isn't stapled, and so would need a network request on the first run (checked using stapler validate -v with network turned off.)My question is: what is the general "contract" the notarization service expects to provide:Will it always notarize enclosed bundles?Is it expected that it won't be stapling them?If so, in the interest of shipping bundles that are already stapled, should the build process always be two-step as follows?Notarize and staple the .app bundle.Package it into a container (.dmg/.pkg), and then notarize and staple that container.Thank you,David