Notarization and Stapling Failing for Signed PKG & DMG with Error 65 Despite Successful Notary Submission

Dear Apple Developer Technical Support, I am encountering an issue with notarizing and stapling both PKG and DMG installers for our Electron-based macOS application COSGrid. Despite receiving successful notarization submission responses via notarytool, the stapling process fails with Error 65.

Environment:

• App Name: COSGrid
• Bundle Identifier: com.cosgrid.pkg.COSGrid
• Developer ID Team ID: YB8S2XZ98K
• macOS Version: macOS [15.1]
• Xcode Version: [16.0 (16A242d)]

Workflow Summary: For PKG:

• Build via yarn build (Vite + Electron Builder)
• Package with pkgbuild
• Sign using productsign

Submit for notarization:

xcrun notarytool submit COSGridMZA-2.1.10-arm64.pkg --apple-id "..." --team-id YB8S2XZ98K --password "..." --wait

Conducting pre-submission checks for COSGridMZA-2.1.10-arm64.pkg and initiating connection to the Apple notary service...
Submission ID received
  id: a8ff8e09-1ab4-49ed-9f6b-4afb9f09e53a
Upload progress: 100.00% (235 MB of 235 MB)   
Successfully uploaded file
  id: a8ff8e09-1ab4-49ed-9f6b-4afb9f09e53a
  path: /Users/murugavel/Documents/MZA/mza/release/2.1.10/COSGridMZA-2.1.10-arm64.pkg
Waiting for processing to complete.
Current status: Accepted.....................
Processing complete
  id: a8ff8e09-1ab4-49ed-9f6b-4afb9f09e53a
  status: Accepted

Receive notarization success Stapling fails:

xcrun stapler staple COSGridMZA-2.1.10-arm64.pkg
Could not validate ticket...
The staple and validate action failed! Error 65.

For DMG:

• Sign via codesign
• Submit to notarization — success
• Attempt to staple:

xcrun stapler staple -v COSGrid-2.1.10-arm64.dmg
Could not validate ticket...
The staple and validate action failed! Error 65.

Additional Verification:

I verified the DMG’s code signature integrity: Command:

codesign --verify --verbose=4 COSGrid-2.1.10-arm64.dmg

Output:
COSGrid-2.1.10-arm64.dmg: valid on disk
COSGrid-2.1.10-arm64.dmg: satisfies its Designated Requirement

Command:

codesign -dvv COSGrid-2.1.10-arm64.dmg

Output:
Executable=/Users/murugavel/Documents/MZA/mza/release/2.1.10/COSGrid-2.1.10-arm64.dmg
Identifier=COSGrid-2.1.10-arm64
Format=disk image
CodeDirectory v=20200 size=308 flags=0x0(none) hashes=1+6 location=embedded
Signature size=9013
Authority=Developer ID Application: COSGrid Systems Private Limited (YB8S2XZ98K)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=1 Jul 2025 at 11:34:05 AM
Info.plist=not bound
TeamIdentifier=YB8S2XZ98K
Sealed Resources=none
Internal requirements count=1 size=180

**Verified Signature for .pkg **

pkgutil --check-signature COSGridMZA-2.1.10-arm64.pkg

Package "COSGridMZA-2.1.10-arm64.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2025-06-30 13:57:19 +0000
   Certificate Chain:
    1. Developer ID Installer: COSGrid Systems Private Limited (teamID)
       Expires: 2027-02-01 22:12:15 +0000
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000

Diagnostic Logs Attached: Stapler verbose logs for both PKG and DMG codesign verification output for both PKG and DMG Notarytool submission logs Ticket JSON response from Apple API API request/response headers Effective electron-builder.yaml config

Key Observations: codesign verification passes successfully for both artifacts Notarization submission reports success via notarytool Stapler fails with Error 65 for both PKG and DMG Ticket JSON fetched from CloudKit API appears valid No provisioning profile used (Developer ID distribution only)

Request: Could you please help investigate: Why is the stapler unable to validate or attach the ticket even though notarization completes successfully? Are there any known issues, entitlements, or workflow adjustments recommended in this case? Is any special handling required for Electron apps’ PKG/DMG packages or Hardened Runtime configurations during stapling?

I can provide the signed DMG/PKG and full notarization logs upon request. Thank you very much for your assistance — looking forward to your guidance.

Best regards, Murugavel COSGrid Systems Private Limited