Create signed and notified MacOS installer for .net core console app

Question

I have read heaps of advice and related problems, but haven't stumbled upon exact one that troubles me. The problem is straightforward: I have a console app written in .Net Core 3.1, which I would like to distribute to MacOS, among others. Hence, I need an installer. Ideally, the whole process shall be script-based, no clicking. Yep, CI. My steps:

1. dotnet publish -c Release -r osx-x64 (when done on Windows, I add the chmod +x to allow execution - no caveat here)
2. pack the whole bin/Release/osx-x64/publish directory into an .app file (using Platypus for now just to make sure the whole .app thing is valid). At this point, clicking on the app actually runs it as expected (apart from the Untrusted developer warning).
3. I have a valid 3rd Party Mac Developer Application certificate, which I use to sign the .app and all files within (using a simple script). My entitlements are scarce (basically just the ones listed in Microsoft documentation).
4. codesign -vvv --deep-verify MyApp.app returns nice valid on disk and satisfies its Designated Requirements
5. Another script then compresses the .app into a .zip archive and uploads it for notarization, which fails. Reason: Invalid package. Running spctl -vvv --assess --type exec MyApp.app returns rejected, so no surprise.

I have learnt that Invalid package may mean almost anything, as it just don't passes a whitelist of allowed stuff and it is not really possible to indicate where it got wrong (would have to list a rejection reason for each and every rule).

It might be insufficient set of entitlements, as my list only contains the 'default' values per MS documentation. However, I have also tried to create a simple Hello world console app to minimize anything going on inside - and sure, Invalid package. So it shouldn't be that my app is trying to do something that is not listed in the entitlements.

Which leaves us for... Hardened Runtime is not enabled? I haven't found any explicit way to enable it in .net core console app (the only reference was for Xamarin.Mac, which is not applicable here IMO). Neither a way to verify that this is the problem indeed. But I don't expect MS to put so much effort into making .net core cross-platform and then throwing it all away just because Apple mandates Hardened Runtime.

I have tried building on both Windows and Mac, no help. My "Mac" is 10.15 Catalina in a VM (could this be an issue?).

Can anyone please help me, set me on a correct path or show me some piece of documentation I have been missing? I cannot believe that it is impossible.

Thank you.

Answer 1

Answering my own question: I must have been blind reading Apple documentation. The thing is, you only get Invalid package when querying the notarization results as pages (xcrun altool --notarization-history 0 -u USER -p PW). However, when you query your concrete request (xcrun altool --notarization-info REQUEST_ID -u USER -p PW), you get Invalid package as well, but also a URL pointing to a JSON containing debug info. Using that I was able to identify and remediate my issue.

So, Apple could definitely make their SW publishing process developer-friendlier, but the tools are there. Just double-check.