Codessign Plugins works, but not Standalone


I have the following problem: I can successfully sign my plugins built with CMake (AU, VST3) with codesign and also notarize them later. When I try to sign the standalone version of the plugin in the same project I get no error message, but the validation in the next step fails.

First Try:

# Works for AU & VST3, but fails for standalone (.app)

codesign --timestamp --force --deep -s "$SIGN_ID" "build/AU/Foo.component" -v

# Fails when validating
spctl -vvv --assess --type exec "build/Foo_artefacts/Release/"

Second Try:

# Copied from pluginval project, still doesn't work for standalone

codesign --entitlements "build/Foo_artefacts/JuceLibraryCode/Foo.entitlements" \
--force -s "$SIGN_ID" -v "build/Foo_artefacts/Release/" --deep

CMake config:

# For plugins
juce_add_plugin(Foo HARDENED_RUNTIME_ENABLED TRUE ...)

# Also tried basic standalone app, same problem

Any suggestions?