The notarisation system lets you notarise existing code, even if that code doesn’t meet its standard security requirements.  My best guess is that this code is hitting that legacy path.  And, to be clear, that’s a guess, because we explicitly do not document all the criteria required to hit that path.

See the Notarize Your Preexisting Software section of Notarizing Your App Before Distribution for more background to this.


Why break my binary and how I can fix it?

The hardened runtime enables a wide variety of additional security checks.  It’s hard to say which one of these is causing the specific problem you’re seeing.  A good way to investigate this is to disable all these security checks (see Hardened Runtime Entitlements), confirm that your app works, and then selectively re-enable them to see where things start to fail.

