Don’t know if useful but this is my text that I copy and paste (with changes to the bold text). It’s never failed to notarize and is decidedly simple…
1.
Sign plugin files in terminal.
codesign -s "DEVELOPER ID APPLICATION: YOURCOMPANY (CODE)" "FILEPATH.COMPONENT" --timestamp
codesign -s "DEVELOPER ID APPLICATION: YOURCOMPANY (CODE)" "FILEPATH.VST3" --timestamp
2.
Create pkg using packages (with signing certificate).
3.
Notarize.
xcrun altool --notarize-app -f "FILEPATH.PKG" --primary-bundle-id com.BUNDLE.pkg --username "DEVELOPER EMAIL" --password "APP SPECIFIC PASSWORD"
4.
Wait for email and then staple.
xcrun stapler staple "FILEPATH.PKG"
5.
Checks.
spctl -a -vvv -t install "FILEPATH.PKG"