I've got the following answer in my ticket: This is expected behavior, you will need to produce two different packages that are signed with different hashes if you want to support older OSs. that's pretty crazy. apple really loves its developers

this issue was just reported from a user, which is how i ended up here! i'll see if i can get more details, as i was fully prepped to ship two separate installers. thanks btw!