Thank you for following up on this and I did submit a bug report with the specific PKG submitted 78407997. However thanks to you and the notary developers I do believe I found the problem within my Distribution.xml I went and synthesized a new Distribution.xml using productbuild --synthesize --package ConcealConnect.pkg --package ConcealUpdate.pkg --package ConcealBrowse.pkg Distribution.xml and I did notice that the result was drastically different from what I had. The main difference is that the synthesized PKG does not by default show the choices to the user so that they can pick and choose what parts of the software distribution get installed. When I had added this capability I foolishly also added a second <pkg-ref ...> for every single PKG and this one did not contain the #. So what I think was happening is because of this poor Distribution.xml implementation sometimes everything would work fine because the proper instantiation was first in the file and other times it would fail because the incorrect <pkg-ref ...> was being used. For anyone else who finds this in the future this is the Distribution.xml I am using now and it seems to be working reliably. <?xml version="1.0" encoding="utf-8"?> <installer-gui-script minSpecVersion="1"> <title>ConcealBrowse Installer</title> <options customize="always" allow-external-scripts="no"/> <domains enable_localSystem="true"/> <pkg-ref id="io.conceal.helper" auth="Root">#ConcealBrowse.pkg</pkg-ref> <pkg-ref id="io.conceal.updater" auth="Root">#ConcealUpdate.pkg</pkg-ref> <pkg-ref id="io.conceal.connect" auth="Root">#ConcealConnect.pkg</pkg-ref> <choices-outline> <line choice="browse"/> <line choice="updater"/> <line choice="connect"/> </choices-outline> <choice id="browse" visible="true" title="ConcealBrowse"> <pkg-ref id="io.conceal.helper"/> </choice> <choice id="updater" visible="true" title="ConcealUpdate"> <pkg-ref id="io.conceal.updater"/> </choice> <choice id="connect" visible="true" title="ConcealConnect"> <pkg-ref id="io.conceal.connect"/> </choice> </installer-gui-script>

Apologies I am now having troubles getting this to recreate again even using the exact same submission. I will keep trying and hopefully get you something you can work with. What do you consider building with Apple tools? This is our process for building as we are a golang application developed outside of xcode. For each inner PKG: create universal binary sign and verify the binary codesign --sign "Developer ID Application: <my developer id>" --deep --timestamp --options=runtime <path to my binary> codesign --verify --verbose <path to my binary> build and sign the inner pkg pkgbuild --root <path to input folder> ConcealBrowse.pkg --scripts <my scripts folder> --sign "Developer ID Installer: <my installer id>" --install-location /Applications --identifier io.conceal.helper --version <specific release version> pkgutil --check-signature signed-installers/ConcealBrowse.pkg Notarize and staple the PKG xcrun notarytool submit --key <connect api key path> --key-id <my key id> -i <my api issuer> ConcealBrowse.pkg --wait xcrun stapler staple ConcealBrowse.pkg After we repeat the above process for all three of our inner PKGs I build and sign the Distribution PKG productbuild --distribution Distribution.xml --sign "Developer ID Installer: <my developer id>" --timestamp --package-path ConcealDistribution.pkg Finally I notarize and staple the Distribution pkg xcrun notarytool submit --key <connect api key path> --key-id <appstore api key id> -i <appstore api key issuer> ConcealDistribution.pkg --wait xcrun stapler staple ConcealDistribution.pkg When it comes to the notary process I can always notarize every single inner PKG however it is the Distribution PKG that causes problems. So we are not building with xcode but these are all tools supported by Apple ran on Apple hardware so to me that would count but not sure if you have a different perspective on that. I appreciate your help and as soon as I can get this to recreate again I will make sure to submit.

This is the notary log and it still contains the same critical validation errors claiming it has no signed executables or bundles. However if I skip notarization and just install it using installer -verboseR -pkg ConcealDistribution.pkg -target / it works just fine and everything installs as expected. As I mentioned in the older thread I have not changed the structure or format of this PKG and this has been working for months up until a few weeks ago when it suddenly started failing. { "logFormatVersion": 1, "jobId": "14cc46bd-10d5-4e9c-9ad6-86c06baad6b2", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "ConcealDistribution.pkg", "uploadDate": "2025-11-05T21:53:19.782Z", "sha256": "48ba80a95c818ae81cadcca07afed1ef4d0d8c120a87622b200dc9935964ee26", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "ConcealDistribution.pkg", "message": "Package ConcealDistribution.pkg has no signed executables or bundles. No tickets can be generated.", "docUrl": null, "architecture": null }, { "severity": "warning", "code": null, "path": "ConcealDistribution.pkg", "message": "The contents of the package at ConcealDistribution.pkg could not be extracted.", "docUrl": null, "architecture": null } ] } As a reminder so you don't have to flip back to the old thread this is the structure of my Distribution PKG when I perform a pkgutil --expand. ConcealDistribution ├── Distribution ├── ConcealConnect.pkg ├── ConcealBrowse.pkg └── ConcealUpdate.pkg

Update seems like this was related to the Notary service being unavailable. It has since resolved itself and my Distribution PKG is being notarized like normal. It would be useful if in the future we could get more actionable error messages to know what is happening.