Thank you for your reply on https://forums.developer.apple.com/thread/115670
As you suggested, I start a new thread here.
I finally got to the bottom of the issue (after wasting few more hours)...
Here's the situation in brief:
-I successfully sign my app for notarization.
-I successfully notarize it with altool and successfully staple. Therefore, I now have an officially notarized app.
-However, the notarization process creates an invisible ._Info.plist file in the app's Contents folder.
Which results in the following outcome when checking the signature with codesign:
codesign -vvv --deep --strict appPath
appPath: a sealed resource is missing or invalid
file added: appPath/Contents/._Info.plist
Like I mentioned, this notarized app then goes into my custom installer on dmg, which dmg I also notarize.
However, the above issue with ._Info.plist file causes error 65 on attempt to staple the dmg (after successfully running altool):
CloudKit query for dmgName.dmg (2/8162101e375e6e3fd1b06cc397f56181b19db60c) failed due to "record not found".
Could not find base64 encoded ticket in response for 2/8162101e375e6e3fd1b06cc397f56181b19db60c
The staple and validate action failed! Error 65.
Delete the ._Info.plist file from the app's Contents folder after notarization. It eliminates the error 65 - and dmg with installer can be successfully notarized.
There's apparently a severe bug in altool (or stapler?) that injects malicious invisible files into the package of notarized apps - which invalidate their signature.
I notarize my apps successfully for months - yet this experienced bug only yesterday for the first time. Also, it so far only happens with one of my apps.
I also submitted this bug to Apple via Feedback Assistant.