Notarizing macOS app that includes openvpn

Adding as a comment since I cannot edit the question anymore:

I've just tested compiling the main application with all Hardened Runtime - Runtime Exceptions and still get the same error: "openvpn" must be rebuilt with support for the Hardened Runtime.

The notary service requires that all main executables have the hardened runtime enabled. This includes your main app and any main executables embedded within it. Other main executable types included:

• Helper apps

• Helper tools

• XPC Services

• App extensions

• System extensions

• Service Management login items

If you build these nested items with Xcode, enable the hardened runtime using Signing & Capabilities. If you build these items without Xcode, enable the hardened runtime when you sign the code. See Signing a Mac Product For Distribution for details.

When signing third-party code that you embed in an Xcode project, you don’t necessarily have to sign with a signing identity. You can often get away with signing the code ad hoc (using - as the identity). Xcode will then re-sign the code as it exports your product. This re-signing process sets the signing identity but preserves other stuff, like the hardened runtime flag.

IMPORTANT Do not disable library validation unless you need to load third-party plug-ins. Disabling library validation makes it harder to pass Gatekeeper. To quote the docs:

Because library validation is such an important security-hardening feature, Gatekeeper runs extra security checks on programs that have it disabled.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"