I have several questions about notarization and enhanced runtime and their behavior in certain scenarios:
1. We install our SW via notarized .pkg. We upload every .pkg to notarization, so Apple sees all the binaries inside the app bundle. But old installations are updated by patching individual files. The signature will remain valid, but the new binaries did not enter the system via any notarized .pkg. Will this continue to work? It saves a lot of bandwidth to download only small diffs.
2. Our SW is an Avast Antivirus solution. Part of it is a scanning engine libraries + virus definitions. These are distributed separately and updated 4 times per-day to react to latest malware. The engine libraries are properly signed but not notarized as they are not contained in any bundle that is supported by notarization. Enhanced runtime docs mentions that app can load libraries signed by the same developer, so I expect our notarized app to be able to load non-notarized libraries signed by us. Is this correct? Will it continue to work?
3. We are distributing our SW as a .pkg inside a .dmg. We have our own stapler service to staple the .dmg with user-specific data (licenses). We are doing this from our web-pages when user buys our product, so we need it to be lightning fast. Will the new gatekeeper allow user to install a notarized .pkg from a non-notarized .dmg?
4. During our first attempts to make notarization work, we had received some "Bad library" errors trying to load libraries build agaisnt 10.6 SDK. But we could not find any detailed violation description in any log files in the Console.app. Where are such violations logged to? Iit would really help us understand the cause of the issues.
Thanks for any relevant comments.