The signatures created by xcode dont include a timestamp. Deactivating any codesigning and doing it manually adds the timestamp just fine.

I have set code signing identity in producer to “Developer ID Application”
I have set my Development Team ID in producer correctly
I enabled hardened runtime

According to this page, the timestamp is only automatically added during archive or export:

By default, Xcode doesn’t include a secure timestamp as part of the app’s code signature during the build process. Instead, it adds a secure timestamp only during the archive (as of Xcode 10.2) and export workflows.

If you need a timestamp with every build, add this to your xcconfig or build settings:

OTHER_CODE_SIGN_FLAGS = --timestamp

For anyone else having this issue:

• I wrongly assumed that the timestamp was missing because apple notarization errors told me exactly that for multiple files, why did I trust Apple in the first place?
• creating a new packages project (using the exact same files) solved the issues for me, should probably switch to pkgbuild