But! Apple apparently listened and, from the release notes of Xcode 12.5… (bold added by me)
Signing and Distribution
Resolved Issues
- Resolved an issue that prevented exporting distribution certificates from Xcode due to a keyboard focus issue in the authentication window. (71011727) (FB8880845)
- Fixed an issue that caused OS X 10.11 and earlier to reject packages signed in macOS 11 or later. (71695608, 75599040)
EDIT: with this caveat:
- OS X 10.11 or earlier may reject code signatures added to universal binaries by Xcode 12.5 running in macOS 11.2 or earlier. (70724583) (FB8830007)
Workaround : Specify--digest-algorithm=sha1,sha256to thecodesignutility at signing time. In Xcode, specify this using theOTHER_CODE_SIGN_FLAGSbuild setting.
so it looks like it works out of the box if you’re on Big Sur 11.3, but you need the extra command line options to make it work if you’re on 11.0 up to 11.2