codesigntelling me my app was fine, just for the same app to be rejected by GateKeeper. The
spctltool fortunately was more truthful, but didn't really say where the problem was.
A little sleuthing determined that although I had signed all my frameworks with the Developer ID, two auxiliary executables were signed with my development certificate.
Lesson learned: don't trust
spctl to verify your binaries.