I know this may muddy the waters a bit...but ive actually never code signed my VST3/AU...only my AAX because its required...Ive only ever codesigned the .PKG when I was using those and the Standalone app(via apple's signing/ notarizing in Xcode) now I have a custom installer that I built and I only have to codesign/Notirize it via Xcode(not via the terminal) and I dont worry about the cosigning any of the individual binaries...and all my plugins run just fine for my users...