diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
new file mode 100644
index 000000000..00e256e02
--- /dev/null
+++ b/build/entitlements.mac.plist
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.device.microphone</key>
+    <true/>
+    <key>com.apple.security.files.downloads.read-write</key>
+    <true/>
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+  </dict>
+</plist>
+
diff --git a/package.json b/package.json
index d7902d1c4..88a6718ef 100644
--- a/package.json
+++ b/package.json
@@ -20,6 +20,7 @@
     "build": "electron-builder --config.extraMetadata.environment=$SIGNAL_ENV",
     "build-release": "SIGNAL_ENV=production npm run build -- --config.directories.output=release",
     "sign-release": "node ts/updater/generateSignature.js",
+    "notarize": "node ts/build/notarize.js",
     "build-module-protobuf": "pbjs --target static-module --wrap commonjs --out ts/protobuf/compiled.js protos/*.proto && pbts --out ts/protobuf/compiled.d.ts ts/protobuf/compiled.js",
     "clean-module-protobuf": "rm -f ts/protobuf/compiled.d.ts ts/protobuf/compiled.js",
     "build-protobuf": "yarn build-module-protobuf",
@@ -59,6 +60,7 @@
     "electron-editor-context-menu": "1.1.1",
     "electron-is-dev": "0.3.0",
     "electron-mocha": "8.1.1",
+    "electron-notarize": "0.1.1",
     "emoji-datasource": "4.1.0",
     "emoji-datasource-apple": "4.1.0",
     "emoji-regex": "8.0.0",
@@ -194,6 +196,8 @@
       "artifactName": "${name}-mac-${version}.${ext}",
       "category": "public.app-category.social-networking",
       "darkModeSupport": true,
+      "hardenedRuntime": true,
+      "entitlements": "./build/entitlements.mac.plist",
       "icon": "build/icons/mac/icon.icns",
       "publish": [
         {
diff --git a/prepare_import_build.js b/prepare_import_build.js
index e74a168ed..4fb59e55a 100644
--- a/prepare_import_build.js
+++ b/prepare_import_build.js
@@ -60,6 +60,11 @@ checkValue(packageJson, WIN_ASSET_PATH, WIN_ASSET_START_VALUE);
 _.set(packageJson, MAC_ASSET_PATH, MAC_ASSET_END_VALUE);
 _.set(packageJson, WIN_ASSET_PATH, WIN_ASSET_END_VALUE);
 
+const MAC_BUILD_TARGET = 'build.mac.target';
+const MAC_BUILD_TARGET_END_VALUE = ['dmg'];
+
+_.set(packageJson, MAC_BUILD_TARGET, MAC_BUILD_TARGET_END_VALUE);
+
 // ---
 
 fs.writeFileSync(
diff --git a/ts/build/notarize.ts b/ts/build/notarize.ts
new file mode 100644
index 000000000..51aea826a
--- /dev/null
+++ b/ts/build/notarize.ts
@@ -0,0 +1,76 @@
+import { join, resolve } from 'path';
+import { readdir as readdirCallback } from 'fs';
+
+import pify from 'pify';
+
+import { notarize } from 'electron-notarize';
+
+// @ts-ignore
+import * as packageJson from '../../package.json';
+
+const readdir = pify(readdirCallback);
+
+/* tslint:disable:no-console */
+
+// tslint:disable-next-line:no-floating-promises
+go();
+
+async function go() {
+  if (process.platform !== 'darwin') {
+    console.log('notarize: Skipping, not on macOS');
+
+    return;
+  }
+
+  const appPath = await findDMG();
+  const appBundleId = packageJson.build.appId;
+  if (!appBundleId) {
+    throw new Error(
+      'appBundleId must be provided in package.json: build.appId'
+    );
+  }
+
+  const appleId = process.env.APPLE_USERNAME;
+  if (!appleId) {
+    throw new Error(
+      'appleId must be provided in environment variable APPLE_USERNAME'
+    );
+  }
+
+  const appleIdPassword = process.env.APPLE_PASSWORD;
+  if (!appleIdPassword) {
+    throw new Error(
+      'appleIdPassword must be provided in environment variable APPLE_PASSWORD'
+    );
+  }
+
+  console.log('Notarizing with...');
+  console.log(`  file: ${appPath}`);
+  console.log(`  primaryBundleId: ${appBundleId}`);
+  console.log(`  username: ${appleId}`);
+
+  await notarize({
+    appBundleId,
+    appPath,
+    appleId,
+    appleIdPassword,
+  });
+}
+
+const IS_DMG = /\.dmg$/;
+async function findDMG(): Promise<string> {
+  const releaseDir = resolve('release');
+  const files: Array<string> = await readdir(releaseDir);
+
+  const max = files.length;
+  for (let i = 0; i < max; i += 1) {
+    const file = files[i];
+    const fullPath = join(releaseDir, file);
+
+    if (IS_DMG.test(file)) {
+      return fullPath;
+    }
+  }
+
+  throw new Error("No suitable file found in 'release' folder!");
+}
diff --git a/ts/util/lint/exceptions.json b/ts/util/lint/exceptions.json
index 5c27b582c..417d4ae99 100644
--- a/ts/util/lint/exceptions.json
+++ b/ts/util/lint/exceptions.json
@@ -3352,6 +3352,46 @@
     "reasonCategory": "falseMatch",
     "updated": "2019-04-10T19:08:25.356Z"
   },
+  {
+    "rule": "jQuery-load(",
+    "path": "node_modules/electron-notarize/node_modules/debug/dist/debug.js",
+    "line": "        createDebug.enable(createDebug.load());",
+    "lineNumber": 721,
+    "reasonCategory": "falseMatch",
+    "updated": "2019-10-10T18:29:02.491Z"
+  },
+  {
+    "rule": "jQuery-load(",
+    "path": "node_modules/electron-notarize/node_modules/debug/dist/debug.js",
+    "line": "        function load() {",
+    "lineNumber": 855,
+    "reasonCategory": "falseMatch",
+    "updated": "2019-10-10T18:29:02.491Z"
+  },
+  {
+    "rule": "jQuery-load(",
+    "path": "node_modules/electron-notarize/node_modules/debug/src/browser.js",
+    "line": "function load() {",
+    "lineNumber": 211,
+    "reasonCategory": "falseMatch",
+    "updated": "2019-10-10T18:29:02.491Z"
+  },
+  {
+    "rule": "jQuery-load(",
+    "path": "node_modules/electron-notarize/node_modules/debug/src/common.js",
+    "line": "\tcreateDebug.enable(createDebug.load());",
+    "lineNumber": 261,
+    "reasonCategory": "falseMatch",
+    "updated": "2019-10-10T18:29:02.491Z"
+  },
+  {
+    "rule": "jQuery-load(",
+    "path": "node_modules/electron-notarize/node_modules/debug/src/node.js",
+    "line": "function load() {",
+    "lineNumber": 216,
+    "reasonCategory": "falseMatch",
+    "updated": "2019-10-10T18:29:02.491Z"
+  },
   {
     "rule": "eval",
     "path": "node_modules/electron/electron.d.ts",
diff --git a/yarn.lock b/yarn.lock
index 4225ae9fe..3c83d93cd 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2881,6 +2881,14 @@ electron-mocha@8.1.1:
     which "^1.3.1"
     yargs "^13.3.0"
 
+electron-notarize@0.1.1:
+  version "0.1.1"
+  resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91"
+  integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^8.0.1"
+
 electron-publish@21.2.0:
   version "21.2.0"
   resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-21.2.0.tgz#cc225cb46aa62e74b899f2f7299b396c9802387d"
@@ -3875,7 +3883,7 @@ fs-extra@^7.0.1:
     jsonfile "^4.0.0"
     universalify "^0.1.0"
 
-fs-extra@^8.1.0:
+fs-extra@^8.0.1, fs-extra@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-8.1.0.tgz#49d43c45a88cd9677668cb7be1b46efdb8d2e1c0"
   integrity sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==