On macOS, you need to sign apps with a certificate from Apple. Certificates from any other provider will not be enough to make Gatekeeper happy.
If you're distributing in the Mac App Store, you'll need a Mac App Distribution Certificate.
If you're distributing outside of the App Store (like on your website or something), then you'll need a Developer ID certificate.
Again, you get both of these from Apple, so you need to sign up for their developer program.
Personally, I have never tried using one of Apple's certificates to sign a .air file. I'm not sure if that will work. However, I do know for certain that you can use an Apple certificate to sign the .app file that you get when you create a captive runtime bundle.
(On a side note, you definitely should be creating captive runtime bundles for both macOS and Windows these days. It seems pretty risky to keep using the shared runtime.)
Signing with Apple's certificates works a little differently, though. I found that you need to do it after you package the AIR app. It's like an extra step at the end. You can sign the app with Apple's certificate using the codesign tool from Xcode. I previously posted how I do that here:
https://forum.starling-framework.org/d/21724-globalsign-native-installer-signing/16
Further down in the same thread, I also posted how to create .pkg installer for macOS:
https://forum.starling-framework.org/d/21724-globalsign-native-installer-signing/22