How to staple Apple notarization tickets (without using 'xcrun stapler')

Recently (as of 2023-11-01) Apple has changed their notarization process. I took the opportunity to drop Apple's own tools for this process (notarytool) and switch to a Python-based solution using their [documented Web API for notarization](https://developer.apple.com/documentation/notaryapi/submitting_software_for_notarization_over_the_web) This works great and has the additional bonus, that I can now notarize macOS apps from linux (in the context of CI, I can provision linux runners much faster than macOS runners), or a more lightweight installation of macOS (without XCode, or even the XCode CommandLine utilities, installed). Since this went so smooth, I thought about moving more parts of my codesigning process to linux, and the obvious next step is find a solution for stapling the notarization tickets into application, replacing xcrun stapler staple MyApp.app With the help of -vv and some scraps of [online](https://developer.apple.com/documentation/technotes/tn3126-inside-code-signing-hashes) [documentation](https://lapcatsoftware.com/articles/logging-https.html) , it turns out that it is very simple to obtain the notarization ticket if you know the code directory hash (CDhash) of your application. the following will return a JSON-object containing (among other things) the base64-encoded notarization ticket, which just has to be decoded and copied into the .app bundle for stapling:

cdhash=8d817db79d5c07d0deb7daf4908405f6a37c34b4
curl -X POST -H "Content-Type: application/json" \
   --data "{ \"records\": { \"recordName\": \"2/2/${cdhash}\" }}" \
   https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup  \
| jq -r ".records | .fields | .signedTicket | .value"

So, the only thing that is still missing for my stapler replacement is a way to obtain the code directory hash for a given application. On macOS (with the XCode tools installed), I can get this hash with codesign -d -vvv MyApp.app, but this obviously only works if I have the codesign binary at hand. I've found a couple of python wrappers for stapling tickets, but all of them just call xcrun stapler staple under the hood. This is **not what I want**. So my question is: is there an (easy) way to extract the code directory hash from a macOS application, without using macOS specific tools. A Python solution would be very much preferred. Ideally, such a solution would be cross-platform (so I should be able to use it on macOS as well as on - say - linux). **NOTE** I've originally asked this question on [StackOverflow](https://stackoverflow.com/questions/77413013) where it was closed as off-topic. If this isn't the correct site either, hopefully somebody can direct me to the real one.