diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aa6b3b9..f26f413 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,8 +41,20 @@ jobs:
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
         run: |
           goreleaser release --clean
+        env:
+          QUILL_NOTARY_ISSUER: ${{ secrets.QUILL_NOTARY_ISSUER }}
+          QUILL_NOTARY_KEY: ${{ secrets.QUILL_NOTARY_KEY }}
+          QUILL_NOTARY_KEY_ID: ${{ secrets.QUILL_NOTARY_KEY_ID }}
+          QUILL_SIGN_P12: ${{ secrets.QUILL_SIGN_P12 }}
+          QUILL_SIGN_PASSWORD: ${{ secrets.QUILL_SIGN_PASSWORD }}
       - name: Run GoReleaser on PR
         if: github.event_name == 'pull_request'
+        env:
+          QUILL_NOTARY_ISSUER: ${{ secrets.QUILL_NOTARY_ISSUER }}
+          QUILL_NOTARY_KEY: ${{ secrets.QUILL_NOTARY_KEY }}
+          QUILL_NOTARY_KEY_ID: ${{ secrets.QUILL_NOTARY_KEY_ID }}
+          QUILL_SIGN_P12: ${{ secrets.QUILL_SIGN_P12 }}
+          QUILL_SIGN_PASSWORD: ${{ secrets.QUILL_SIGN_PASSWORD }}
         run: |
           goreleaser release --snapshot --clean
       - name: Upload artifacts
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 5032af2..ccfbbe0 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -3,6 +3,7 @@ project_name: descope
 before:
   hooks:
     - go mod tidy
+    - go install github.com/anchore/quill/cmd/quill@v0
 
 env:
   - GO111MODULE=on
@@ -23,9 +24,21 @@ builds:
       - amd64
       - arm64
     goos:
-      - darwin
       - windows
       - linux
+  - binary: descope
+    id: macos
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    hooks:
+      post:
+        - cmd: quill sign-and-notarize "{{ .Path }}" -vv --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }}
+          env:
+            - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log
+
 dockers:
   - image_templates:
       - "ghcr.io/descope/cli:{{ .Tag }}-amd64"