I was reading through this post:
https://developer.apple.com/forums/thread/718583
I've been able to reproduce this behavior by double-clicking a DMG in the Finder while the Mac is Offline. I checked the Notarization status of the app via spctl and it shows "Notarized Developer ID". So sure enough, Quinn's comment about Gatekeeper "ingesting" the notarization ticket stapled to the DMG and automatically applying it to the app inside is 100% spot-on.
However, I can't seem to get the same behavior to happen when mounting the DMG via hdiutil in Terminal. While Offline, I do a:
hdiutil attach /path/to/my/dmg.dmg
and then
spctl -a -t exec -vvv /Volumes/path/to/my/mounted/dmg/myapp.app
After the spctl I'm seeing
/Volumes/path/to/my/mounted/dmg/myapp.app: rejected
source=Unnotarized Developer ID
origin=Developer ID Application: My Developer Creds (XXXXXXXXXX)
Is there a way to get Gatekeeper to "ingest" the notarization ticket stapled to the DMG when using hdiutil while Offline?
Note 1: If I use hdiutil while online, everything works as expected. Note 2: I'm testing all this via a VM of macOS 12.7.1, if that makes any difference.
Thanks!