I have an app at work that I maintain. Last couple of releases were notarized. But now notarization fails. I have embedded an external application (Pashua) into my AppleScript app. And that app is using an old SDK. And because Apple changed some Notarization rules (they announced this), my AppleScript app won’t notarize anymore.

But now I’ve just signed the app with my codesign --sign "Developer ID Application: ..." and that just runs on macOS Catalina, also on machines that never had an any version of my app installed. Also Pashua just runs.

How can this be. Both my non-notarized app, and Pashua do just run on Catalina. Is this Notarization thing a joke? I’m utterly confused…

The exact algorithm Apple uses is not disclosed, and is a moving target. But the version of the SDK used when apps were built is in the mix, and perhaps that goes part of the way to explaining what you see.