You're signing it wrong !
A recently discovered security vulnerability in how third party vendors are checking Apple's "code-signing" process potentially made it easier to trick macOS users into running malicious third-party code. Developers have been warned of the risk, but users still need to upgrade their software to guard against attacks exploiting …
Sorry to ruin the joke but this attack doesn't fool any of the built-in OS-level security measures, just a bunch of third-party apps that check the signature on only the first architecture within a fat binary.
So the blame-claim would be: they're validating it wrong.
... though hopefully Apple will do something about whatever the APIs are to encourage correctness by default.
Biting the hand that feeds IT © 1998–2019