Whenever apple says “this is not recommended” they mean “don’t do this.” They’ll pull the plug without warning.
They certainly do like to make significant changes with little to no warning. As they continue to do so, we’ll continue to adapt accordingly. 
And for the record, there is information about Code Signing OS X apps in the User Guide:
User Guide Book 4: Development, Chapter 2: Cross-Platform Development, Section 3: OS X Features
If I remember right, Sam Rowland’s AppWrapper already uses the signing scheme recommended by Apple.
I have used App Wrapper 3 in particular to sign an app that contains a helper in the bundle, itself being a bundle la Russian nesting dolls, and everything was signed to the satisfaction of the MAS.
Thanks all, I finally asked enough questions and fumbled around long enough that I got it to work. I think most of the problem is I am a 20 year Window developer that is somewhat new to the Mac and things just aren’t how I expect them to be. It is starting to make sense now, although a trip to nut house is likely when I try the MAS the first time. Thanks for the help!
Which is quite rare, it’s become common habit to simply remove it without warning. So when Apple advise against doing something, take that advice!
Indeed we have to.
App Wrapper 3 has 2 options, one is to use the App Wrapper engine and the second is to use an enhanced version of --deep. The reason being is that I’ve tried my damndest to replicate the functionality of --deep. Without any documentation. There are circumstances however where the App Wrapper engine signs files that --deep misses and --deep signs files that App Wrapper misses.
Last summer, I spent a lot of time getting my engine as close as possible… However with Apple’s most recent changes, neither App Wrapper, nor --deep actually operates 100% to the guidelines. Therefore engine v4 has been in development for a while now, that will adhere to the recent guidelines, until Apple change them again.
Can’t say how much of help App Wrapper 3 was in getting this done. A huge bargain at $50.
Do you like to stab yourself in the eye with hot pokers? Am kidding, but sometimes it can be really painful to deal with shitty reviewers. Just try to remain calm and talk to us here and we’ll do what we can to help you through this.
When does --deep miss files? I’ve not seen that yet but our apps are not deeply nested. We have just one helper app per application bundle and in that case we also use an installer package with scripts to handle the configuration and launch of the helper app, which runs as a daemon.
Currently, application bundles and installer packages are created and signed on OS X 10.10.1 with the Command Line Tools for Xcode 6.1.1 released on December 2, 2014 and tested with the SignatureCheck tool released November 12, 2014. Installation tests on Yosemite, Mavericks, Mountain Lion and Lion are also done using downloaded files to thoroughly test compatibility with Gatekeeper on each version of OS X. So far, so good but it’s only a matter of time before Apple makes a change to which we must adapt our build scripts.