diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0704248..52b51b5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -138,6 +138,11 @@ elseif(APPLE)
             foreach(qtModule in Pdf Svg)
                 file(REMOVE_RECURSE \"${bundleContentsDir}/Frameworks/Qt\\\${qtModule}.framework\")
             endforeach()
+
+            # codesign
+            execute_process(COMMAND \"${CMAKE_SOURCE_DIR}/dmg_osx/codesign.sh\"
+                WORKING_DIRECTORY \"${bundleContentsDir}\"
+            )
         ")
     install(SCRIPT ${qtDeployScript})
 elseif(LINUX)
@@ -164,6 +169,7 @@ set(CPACK_PACKAGE_NAME "${projectDisplayName}")
 set(CPACK_PACKAGE_VENDOR "LibreELEC")
 if(APPLE)
     set(CPACK_PACKAGE_FILE_NAME "LibreELEC.USB-SD.Creator.macOS")
+    set(CPACK_POST_BUILD_SCRIPTS "${CMAKE_SOURCE_DIR}/dmg_osx/notarize.cmake")
 
     set(CPACK_GENERATOR DragNDrop)
     set(CPACK_DMG_BACKGROUND_IMAGE "${CMAKE_SOURCE_DIR}/dmg_osx/background.png")
diff --git a/dmg_osx/codesign.sh b/dmg_osx/codesign.sh
new file mode 100755
index 0000000..f5f825e
--- /dev/null
+++ b/dmg_osx/codesign.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# working directory - .app/Contents
+
+if [ -z "$CODE_SIGN_IDENTITY" ] ; then
+  echo 'skip signing - no code sign identity provided in CODE_SIGN_IDENTITY'
+  exit 0
+fi
+
+function sign {
+  codesign --verbose=4 --force --timestamp --options=runtime --sign "$CODE_SIGN_IDENTITY" "$1"
+}
+
+
+echo 'sign frameworks'
+for framework in Frameworks/*.framework ; do
+  sign "$framework"
+done
+
+echo 'sign dylibs'
+for lib in $(find PlugIns -type f -iname '*.dylib') ; do
+  sign "$lib"
+done
+
+echo 'sign app bundle'
+sign ..
diff --git a/dmg_osx/notarize.cmake b/dmg_osx/notarize.cmake
new file mode 100644
index 0000000..cb5d683
--- /dev/null
+++ b/dmg_osx/notarize.cmake
@@ -0,0 +1,30 @@
+set(dmgPath "${CPACK_PACKAGE_FILES}")
+
+if(NOT DEFINED ENV{CODE_SIGN_IDENTITY})
+    message("skip dmg signing & notarization - no code sign identity provided in CODE_SIGN_IDENTITY")
+    return()
+endif()
+message("sign dmg")
+execute_process(COMMAND
+    codesign --verbose=4 --force --sign "$ENV{CODE_SIGN_IDENTITY}" "${dmgPath}"
+)
+
+if(NOT DEFINED ENV{ASC_API_KEY} OR NOT DEFINED ENV{ASC_API_KEY_ID} OR NOT DEFINED ENV{ASC_API_KEY_ISSUER} OR NOT DEFINED ENV{ASC_TEAM_ID})
+    message("skip dmg notarization - ASC_API_KEY / ASC_API_KEY_ID / ASC_API_KEY_ISSUER / ASC_TEAM_ID not provided")
+    return()
+endif()
+message("notarize dmg")
+execute_process(COMMAND
+    xcrun notarytool submit
+        --verbose
+        --key "$ENV{ASC_API_KEY}"
+        --key-id "$ENV{ASC_API_KEY_ID}"
+        --issuer "$ENV{ASC_API_KEY_ISSUER}"
+        --team-id "$ENV{ASC_TEAM_ID}"
+        --wait
+        --timeout 30m
+        "${dmgPath}"
+)
+execute_process(COMMAND
+    xcrun stapler staple "${dmgPath}"
+)