Mojave had no problems, but Catalina had problems.
1. security find-identity -v
1) C17046BFE80EE89BD1ED8C074...... "Apple Development: *** (2CK2N3894J)"
2) 3F2E4DE8448436C12D2180B0A...... "Developer ID Application: *** (3M7CA656X6)"
3) 6ADDD8EA0A311D666D9D78D3...... "Developer ID Installer:*** (3M7CA656X6)"
4) F829BE1DDB0C9907FCFBB41C...... "Apple Development: *** (M4A523532B)"
2. productsign --sign "Developer ID Installer: *** (3M7CA656X6)" ./aaa.pkg ./sign/aaa.pkg
3. pkgutil --check-signature ./aaa.pkg
Status: signed by a developer certificate issued by Apple for distribution
Certificate Chain:
1. Developer ID Installer: *** (3M7CA656X6)
SHA256 Fingerprint:
2A 6D 1F 76 4D 9F 08 DD 55 69 0A E0 AB.....
B7 D3 57 B2 DB 92 B7 8F 8B A3
------------------------------------------------------------------------
2. Developer ID Certification Authority
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D .....
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 ......
68 C5 BE 91 B5 A1 10 01 F0 24
4. spctl -a -vvv -t install "./aaa.pkg"
./***.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: *** (3M7CA656X6)
5.xcrun altool --notarize-app -t osx -f ./aaa.pkg --primary-bundle-id com.aaa.*** -u "ID" -p "PW" --output-format xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>notarization-upload</key>
<dict>
<key>RequestUUID</key>
<string>e08537cf-edb6-4126-b3d8-7c9.....</string>
</dict>
<key>os-version</key>
<string>10.15.3</string>
<key>success-message</key>
<string>No errors uploading './***.pkg'.</string>
<key>tool-path</key>
<string>/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework</string>
<key>tool-version</key>
<string>4.00.1181</string>
</dict>
6. spctl -a -vvv -t install "./aaa.pkg"
./***.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer:*** (3M7CA656X6)
Why does "source=Unnotarized Developer ID" occur?