Unable to Staple Notarization to signed PKG: Missing CMS signature

[Ian-Butler-Novacoast]

I am creating signed PKGs on linux with version 1.6.1 of xar based on this guide: http://users.wfu.edu/cottrell/productsign/productsign_linux.html

The PKG files are signed correctly according to pkgutil --check-signature reporting back

Status: signed by a developer certificate issued by Apple for distribution

and it lists the expected certificate chain.

However, I am now submitting the PKG files to Apple's new notarization service and while the notarization service reports back success, I am unable to staple the notarization to the PKG:

stapler staple -v ./test.pkg        
Processing: /Users/ianbutler/Documents/test.pkg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer package";
    NSURLTypeIdentifierKey = "com.apple.installer-package-archive";
    "_NSURLIsApplicationKey" = 0;
}
Sig Type is RSA. Length is 3
Could not find an appropriate "code signature" in the test.pkg installer package.
Cannot download ticket. CDHash must be set.

The "CDHash must be set" error led me to this issue in another utility that deals with macOS packages: packagesdev/packages#32

In that discussion and subsequent fixes there is mention of the CMS signature missing. Is this something that is supported by xar but I am not using it correctly?

I will review the source code to see if this is something that can be ported from https://github.com/packagesdev/packages