Thank you, Quinn. Regarding the warning: security verify-cert -c /path/to/cert confirms the Developer ID Installer certificate chain is valid (no errors). The "unable to build chain to self-signed root" warning appears with both productbuild --sign and productsign, but the resulting signature passes pkgutil --check-signature and notarytool accepts it. The same team's Developer ID Application certificate signs the .app inside a ZIP without any issues — that ZIP passes Gatekeeper on the same machine. Regarding cross-over testing: Unfortunately I only have access to macOS 26.3 (beta 3) at the moment, so I cannot test the cross-over cases right away. However, here is what I can confirm on macOS 26.3 alone: Step Result pkgutil --check-signature Signed with Developer ID Installer, valid notarytool submit Accepted stapler validate Valid spctl -a --type install Rejected syspolicyd log meetsDeveloperIDLegacyAllowedPolicy = 0 The .app (via ZIP) is signed with Developer ID Application from the same team and passes spctl -a --type exec with no issues. Only the .pkg path is affected. Could this be a Gatekeeper regression specific to --type install evaluation on macOS 26.3?