TL;DR: Do not zip your app bundles using the zip command, instead use the “ditto -c -k –sequesterRsrc –keepParent MyApp.app MyApp.app.zip” command, or you can manually right click on your MyApp.app bundle on Finder and click on the “Compress MyApp.app” option, the zip command alters the UTF binary encoding of the files and makes the signature invalid.
We just went through hell to get FrostWire for Mac notarized by Apple’s automated service.
Since FrostWire is not a regular Objective-C/Swift app, but a Java app, our (one-step) build process is done entirely using bash scripts on the terminal.
The Notarization process helped us realize we had some old binaries that we hadn’t compiled since Mac SDK 10.6, and it made us sign them with hardened runtime support, it also made us make sure that there were no hidden .DS_ files as these can also cause the app bundle to be considered invalid by Apple.
In the end we were able to sign our squeaky clean FrostWire.app bundle and however we checked it, it appeared to have no errors with it whatsoever.
We’d always get the following error for our submission.
“The signature of the binary is invalid”
It was the damn .zip file
Thinking there was something wrong with our installer’s executable, we even re-built it using a custom Makefile and directly on the terminal, and not through an XCode project like we used to. As a plus, we think it’s much simpler now.
Between our signature checking on the local machine and the notarization submission there was one more step, compressing the FrostWire.app into a FrostWire.app.zip file.
To zip our bundle before submitting it to the notarization service (altool –notarize-app), we were using the zip command available at /usr/bin/zip
And this was the problem. This “zip” command is not the same compression software used by the Finder when you right click on a file and hit “Compress”
it’s called Info-ZIP and it’s not made by Apple.
As soon as we zipped the FrostWire.app with the Finder and then submitted that zip file, we were successful.
It appears that the /usr/bin/zip tool “is converting UTF-8 NFD charset to UTF-8 NFC. The new APFS filesystem supports both encodings unlike HFS+ where UTF-8 was always converted to UTF-8 NFD.”
This is why the code signature checks passed just fine on our end, but not on Apple’s side.
You can zip your bundle on your script with the “ditto” tool as if you were using the Finder, this way:
This issue is not mentioned on the Apple Developer Documentation “Resolving Common Notarization Issues” article, hopefully it’ll make it to their ears and they’ll add this possible solution to their “Ensure a Valid Signature” section list of possible solutions and caveats.
Official FrostWire Blog 
Mate… This post is superb. The zip was the problem the whole time. I thought I was going mad signing the executable repeatedly, every which way.
Changing to ditto did the trick instantly. Notarized without warnings. Cheers!
Oh man, you made my day. I’m glad that I was able to help you in advance, it took me forever to figure that out, I was also going mad.
OMG. “The signature of the binary is invalid.” I’ve just spent all day trying everything I could find online and could not figure out what the issue was. The error message is next to useless.
This was the problem.
THANK YOU!
That’s so awesome you found this post. I figured maybe I’d help someone in the future. Thank you for letting me know, good luck distributing your app.