External frameworks fail notarization even after being codesigned

Question

I use the Sparkle lib in my Developer ID MacOS application for auto-updating. I export the app using CLI tools (xcodebuild) and then notarize using xcrun notarytool, this all seems to work fine.

I then create a DMG, and it's when I notarize this I get around 16 of the following errors:

• "The binary is not signed with a valid Developer ID certificate."

• "The signature does not include a secure timestamp."

I get both of these errors for all of of the following files:

"MyApp.dmg/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/Sparkle"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/Updater.app/Contents/MacOS/Updater"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Downloader.xpc/Contents/MacOS/Downloader"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Installer.xpc/Contents/MacOS/Installer"

It seems like the Sparkle apps that are packaged inside my app need to be codesigned before being packaged into a disk image and notarized.

I have tried:

• codesigning the .dmg container
• codesigning app with --deep flag before notarization
• codesigning app and all sub-apps (listed above) individually
• codesigning app and all sub-apps before notarization

I use the following bash method I created for codesigning:

function codesignApp() {
  codesign --force --sign "Developer ID Application: <NAME REDACTED> (<TEAMID REDACTED>)" \
    --timestamp --deep --verbose --options=runtime "$1"
}