I maintain OS software which is distributed as an Mach-O executable in a zip. It's not packaged as an app. I can codesign this without problems but all references to notarization that I can find are talking about .apps. Does anyone know about notarizing simple executables?
Yes. You can notarize plain executables. Some caveats...
The upload process does not accept executables, they must be encoded. Zipping them is the easiest way. The notarization is for the underlying executable, you can unzip, re-zip, etc. But the transfer process needs the enclosing zip.
You can't staple to the executable. Gatekeeper can verify against apple's servers, instead of the stapled ticket. (And presumably, the quarantine bit is then removed)
The spctl -a -vvv -t install command will display a bunch of info.
$ file go-hello-notarized-APPLEID
go-hello-notarized-APPLEID: Mach-O 64-bit executable x86_64
$ spctl -a -vvv -t install go-hello-notarized-APPLEID
go-hello-notarized-APPLEID: accepted
source=Notarized Developer ID
origin=Developer ID Application: Example, Inc (APPLEID)
There's info in https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow but it's hard to tell until you try it all.