The question about how to notarise an installer package (
.pkg) containing a KEXT has come up on a number of threads  over the past few weeks. Unfortunately my answers have been less than clear, so I sat down with the notarisation team to fix that.
The fundamental question here is the order in which you notarise things. Do you:
Sign the KEXT, wrap the KEXT in a signed installer package, then notarise the package, then staple the ticket to the package (option A).
Sign the KEXT, then notarise it, then staple the ticket to the KEXT, then wrap the KEXT in a signed installer package, then notarise the package, then staple the ticket to the package (option B).
We generally recommend option A, because option B requires multiple round trips to the notarisation servers.
For installer packages that don’t contain a KEXT, this is the end of the story. For installer packages that contain a KEXT, there is one extra gotcha. The gotcha, and its workaround, are described in the macOS Mojave 10.14.5 Release Notes (search for “50205533”).
I’ve locked this post so that I can update if there are any further developments. If you have follow-up questions, either post them to your existing thread or, if you don’t have an existing thread, create a new thread here on Distribution > Mac Apps.
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"