I couldn't find a clear answer on this:
The official links of notarizing you MacOS app, found below, only discuss notarizing and stapling an APP file, not a PKG file:
How do I this for the PKG installation file?
First things first, we recommend that you notarise your outermost container, the one that you actually ship to customers. So if you distribute your installer package on a disk image image, you should sign the contents of the package, build the package, sign the package, build the disk image, sign the disk image, and then notarise the disk image.
Once you’ve decided what to notarise, you notarise it using
altool. It’s just like as described in Customizing the Notarization Workflow except that you pass the installer package (or disk image) to the
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"