Surely that means 10.10 is able to handle SHA 256.
Not necessarily: I think the 10.15 codesign generates both SHA1 & SHA256 sigs, and the macOS 11 codesign on the TDK at least only generates SHA256.
I've been follwoing this thread with great interest since pur apps have pretty similar requirements. At the moment none of our build boxes are running macOs 11.x, but we may have to update at least 1 to support iOS builds.
So, this afternoon, I tried building our (macOS) app on the DTK box (running 11.0.1). So far, I'd only been using it for testing, so had to install Xcode 12.2, the certs etc etc. Our app also has embedded dylibs, Finder sync extension, privileged helper tool etc all of which is signed from the inside-out by a build script written in python. The script also (optionally) notarizes the built packages.
The good news is that it all still works: the resulting package is notarized and stapled; the bad news is that, as expected, the package will not open in 10.11 (and presumably earlier).
I'm not sure why your script has trouble with the signing - some difference in behaviour between zsh & bash possibly? Does signing the recalcitrant dylibs in the Terminal work?