If someone else can do some tests but don’t know how-to. Here are the steps to code sign and notarise.
STEP 1:
Codesigning on Mojave gives an error in most cases: resource fork, Finder information, or similar detritus not allowed
To fix this, you first need to clear the attributes:
xattr -rc </Path/to/your.app>
STEP 2:
Now you can code sign your .app, including making it ready for notarising.
codesign --force --options runtime --deep --sign "Developer ID Application: <DeveloperIDNameHere> </Path/to/your.app>
STEP 3:
Now create a .DMG file and code sign the .DMG file. I use DMG Canvas for this. Its one of the best in its class. Make sure the option to code sign the .dmg
STEP 4:
Now we are going to request a RequestUUID number. It will upload the .DMG file and do some magic stuff. This can take a while so be patient.
xcrun altool -t osx -f </Path/to/your.dmg> --primary-bundle-id <APPBUNDLEID> --notarize-app --username <DeveloperIDNameHere>
After this is finished, you will see the requested UUID. It looks something like 5ecb3409-c20e-2fe5-5672-ebe6ff85c7
STEP 5:
Its time to notarize everything with the UUID.
xcrun altool --notarization-info <RequestUUID> -u <DeveloperIDNameHere> -p @keychain:"Application Loader: <DeveloperIDNameHere>"
Now you will see a long log of data:
No errors getting notarization info.
RequestUUID: 5ecb3409-c20e-2fe5-5672-ebe6ff85c7
Date: 2018-10-20 14:07:30 +0000
Status: success
LogFileURL: https://osxapps-ssl.itunes.apple.com1540239093_56223396SXIEQYl87MG%2FezN30%3D
Status Code: 0
Status Message: Package Approved
STEP 6:
Last step, we need to staple the .DMG file.
xcrun stapler staple -v </Path/to/your.dmg>
You will see a long log but it should end with:
The staple and validate action worked!
Congratulations … you apps has now been code signed and notarised.
After you installed the app (from the .dmg) you can double check if everything is working:
spctl -a -v </Path/to/your.app>