I still am not totally clear on the answer to that. Here’s what I can add:
Today I was notarizing an already-built installer package from the command line, following Apple’s instructions here.
The installer was notarized with no problem. When checking the log file for the notarization (at the LogFileURL provided by Apple), it lists the “ticketContents” in detail. Itemized there were 8 entries:
- The overall installer
.pkg - A plug-in bundle for each of the AU and VST3 formats (
.componentand.vst3) - The plug-in binary within each of the bundles (i.e. within
/Contents/MacOS/subdirectories) for AU, VST, and AAX - A couple
Pace_Edenentries for the AAX
For each entry it lists a cdhash value. So it would seem that each binary included within the installer is being tracked by the single notarization step. But can’t say for sure.