I see in multiple locations that if I have a dmg I should sign outwards and only notarize the dmg. Is this correct?
Our general advice:
Sign everything, from the inside out.
Notarise the outermost container.
Staple the outermost container, assuming it supports stapling.
There are various obscure exceptions to these rules but the only major exception is when your outermost container is a zip archive. In that case you have to:
Unzip the archive.
Staple the app within the archive.
Create a new archive from the stapled app.
This assumes that the content of your zip archive is just a single app. If not — for example, if you’re distributing multiple items in the zip archive, or you’re distributing something that isn’t an app — you’re probably better off not using a zip archive as your outermost container.
Is it because the gatekeeper checks at time of opening the dmg, and when moving it the quarantine flag is cleared?
That does happen, but that’s not the reason. The reason is that:
The ticket covers the outermost container and everything within it.
--notarisation-info, download the log, and then check that the ticket does actually cover everything that you expect it to cover.
When Gatekeeper checks the outermost container, the system ingests the ticket so that it’s available to any future notarisation checks.
I'm asking because - out of habit - after installing the app I ran my verifications and of course they failed as the app is not notarized.
I can’t to offer any insight into that without more details on the exact steps you took.
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"