It seems like something changed in the notarization in the last few days. I'm running the same build script that creates and notarize a DMG that contains a PKG with 4 plugins. Everything is signed correctly. No error anywhere in the notarization process.
Checking the status of the notarization, I get this:
Status: success
Status Code: 0
Status Message: Package Approved
Stapling returns this:
The staple and validate action worked!
Yet, if I check the PKG inside with this command:
spctl -a -vvv -t install
I get this output:
.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: My Company
This project was perfectly working a few weeks ago, and we have not changed a thing. Checking the notarization log, the only issue I see is this:
"issues": [
{
"severity": "warning",
"code": null,
"path": "Archive.dmg/Installer.pkg",
"message": "This archive is corrupt, and cannot be unpacked for analysis.",
"docUrl": null,
"architecture": null
}
]
But this warning is also present in past DMG/PKG thatare notarized and work as they should. Another difference from previous logs is that I can only see one item in ticketContents, which is the DMG, while previously I could see two, both the DMG and the PKG.