I'm seeing this error too. The bundle in question runs properly locally and is correctly signed. Did you find out what the problem was?

Could this be failing because the timestamps are inconsistent? pkgutil is reporting the timestamp in UTC, but codesign appears to have used local time which in my case (UTC+13) is ahead of the package signing time, UTC, and the local time at the at the notarization server. pkgutil --check-signature myapp.pkg Package "myapp.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2023-12-19 22:02:34 +0000 ... codesign --display -v --deep --strict myapp.app Executable=/path/to/myapp.app/Contents/MacOS/myapp Identifier=myapp Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=76755 flags=0x10000(runtime) hashes=2392+3 location=embedded Signature size=8991 Timestamp=20/12/2023 at 11:02:19 AM ...

Also just came across this issue. Anyone know how to fix it?

Had this issue trying to build a Cordova app with Xcode 12.4. Switching to Xcode 11.7 with xcode-select allowed the project to build sucessfully.