How to generate a .pkg from a .app that is signed and notarized?

Question

I have a .app that is signed and notarized:

spctl --assess --type execute --verbose MyApp.app
MyApp.app: accepted
source=Notarized Developer ID

I want to create a .pkg to distribute my app.

pkgbuild --install-location /Applications/ --component MyApp.app MyApp.pkg

spctl --assess --type install --verbose MyApp.pkg
MyApp.pkg: rejected
source=no usable signature

So I need to sign the .pkg

productsign --sign "3rd Party Mac Developer Installer: ..." MyApp.pkg MyAppSigned.pkg

spctl --assess --type install --verbose MyAppSigned.pkg
MyAppSigned.pkg: rejected

What do I miss?

Answer 1

From what I remember, you don't need to notarize the application itself, it's enough to sign it using a Developer ID Application certificate.

For the pkg, you need to sign it using a Developer ID Installer certificate in addition to notarizing it.

Also don't forget to Staple your installer at the end after the notarizing process.

For your information, I am planning to add support for using packages for distribution in my open-source command line tool soon, you can keep an eye on the project here.