One of my scripts contains encrypted zip files that contain some MS-DOS executables that can’t be distributed freely, but which I want to make available to people who have the legal right to use them.

When I use SD notary with these apps, I get this warning message:

message: b'ditto: no password provided for encrypted PKZip archive\n'
severity: warning

It’s just a warning, but is there some way I can give Apple the password without making it available to all users?

No, and I’d be surprised if any practical arrangement for it were at all feasible, given how the system works.

As I feared. Thank you!

Yes, that warning is normal when you notarize something. Apple can’t look at encrypted ZIP files, and there’s no safe way to send a password to the notarization service either. It will always complain if there are executables inside. If licensing allows, the only real options are to either ship the files separately or unpack and sign them before notarizing them. It’s annoying, but that’s how the system works.