For years, we have been using the following four commands to sign our app and ensure that the signing has worked:
codesign --force --verbose=0 --deep --sign $certIdentity $mntpointApp
codesign --verify --verbose=0 --deep $mntpointApp
spctl --assess --verbose=4 --type install $mntpointApp
spctl --assess --verbose=4 --type execute $mntpointApp
Our build machine (macOS 10.13.6, Xcode 10.1) executes these commands without failure. My Mohave MBP did too before I upgraded it to Catalina and Xcode 11.
After upgrading, the first spctl command fails like this (according to our gradle script's output):
13:14:54.010 [INFO] [org.gradle.process.internal.DefaultExecHandle] Starting process 'command 'spctl''. Working directory: $HOME Command: spctl --assess --verbose=4 --type install $HOME/build/tmp/dmgMount/My.app
13:14:54.010 [DEBUG] [org.gradle.process.internal.DefaultExecHandle] Changing state to: STARTING
13:14:54.010 [DEBUG] [org.gradle.process.internal.DefaultExecHandle] Waiting until process started: command 'spctl'.
13:14:54.014 [DEBUG] [org.gradle.process.internal.DefaultExecHandle] Changing state to: STARTED
13:14:54.014 [DEBUG] [org.gradle.process.internal.ExecHandleRunner] waiting until streams are handled...
13:14:54.014 [INFO] [org.gradle.process.internal.DefaultExecHandle] Successfully started process 'command 'spctl''
13:14:54.238 [ERROR] [system.err] $HOME/build/tmp/dmgMount/My.app: rejected
13:14:54.239 [ERROR] [system.err] source=Unnotarized Developer ID
13:14:54.239 [DEBUG] [org.gradle.process.internal.DefaultExecHandle] Changing state to: FAILED
13:14:54.239 [DEBUG] [org.gradle.process.internal.DefaultExecHandle] Process 'command 'spctl'' finished with exit value 3 (state: FAILED)
I modified the above debug output to obfuscate a couple of names that I don't want to reveal.
The doc that I've been reading, regarding how to notarize and staple is this: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
The first bullet under the heading "Prepare Your Software for Notarization" says:
Enable code-signing for all of the executables you distribute.
I take this to mean "you have to sign your application".
A couple of points below it says "Don't use a Mac Distribution or local development certificate". The certificate we are using is of the type "Developer ID Application".
Unless spctl is given a erroneous error message, it looks like there is at least one constraint I haven't satisfied: getting the developer id notarized.
Nowhere in the document does it describe that process as being a constraint nor how to accomplish that task.
The other forum topics don't address this concept at all or are ambiguous.