Signing, Notarizing, hardening, etc. a macOS command-line binary?

Question

What are the most appropriate ways to harden, code-sign, notarize, package, etc., a command-line binary (stdin, stdout, etc., no windows or icons) to allow distribution of the binary to macOS Catalina users, so that they can run the utility with the least amount of pain/hassle?

Assume the default/stock OS configuration of GateKeeper, etc. Assume the users most likely currently don't have the installed tools or skills to compile from source. Assume that a Terminal window popping up when running the utility won't scare them.

Answer 1

OLD ANSWER (2020):

I've started using https://github.com/mitchellh/gon recently, and am very happy with it. From the makers of Vagrant, Terraform, Packer, et al.

UPDATED ANSWER (2022):

Gon is very nearly abandonware at this point, which is disappointing. However, since then, Apple also released notarytool, which essentially does what Gon did.

I use GoReleaser for releases, and this is the notarization step in my .goreleaser.yml file. (You should be able to convert this back to a standard shell command pretty easily.)

signs:
  - id: gatekeeper
    ids:
      - macos-archive
    signature: "${artifact}"
    cmd: xcrun
    args:
      [
        "notarytool",
        "submit",
        "./dist/{{ .ProjectName }}-{{ .Version }}.darwin.universal.zip",
        "--apple-id",
        "{{ .Env.AC_APPLE_ID }}",
        "--password",
        "{{ .Env.AC_PASSWORD }}",
        "--team-id",
        "{{ .Env.AC_TEAM_ID }}",
        "--progress",
        "--wait",
      ]