diff --git a/.github/workflows/testframework.yml b/.github/workflows/testframework.yml
index 288aee4273f3..6f6b87481161 100644
--- a/.github/workflows/testframework.yml
+++ b/.github/workflows/testframework.yml
@@ -69,7 +69,7 @@ jobs:
 
       - name: Build test framework
         working-directory: test
-        run: cargo build --release
+        run: cargo build --release --locked
 
   # Build the test runner + test manager at once.
   build-test-framework-macos:
@@ -91,7 +91,7 @@ jobs:
 
       - name: Build test runner
         working-directory: test
-        run: cargo build
+        run: cargo build --locked
 
   # Build only the test-runner binary on Windows. Windows is not a supported host for test-manager.
   build-test-runner-windows:
@@ -112,4 +112,4 @@ jobs:
 
       - name: Build test runner
         working-directory: test
-        run: cargo build --release -p test-runner --target x86_64-pc-windows-gnu
+        run: cargo build --release --locked -p test-runner --target x86_64-pc-windows-gnu
diff --git a/build.sh b/build.sh
index 6d76dc017f1f..66634d736714 100755
--- a/build.sh
+++ b/build.sh
@@ -101,11 +101,17 @@ fi
 if [[ "$OPTIMIZE" == "true" ]]; then
     CARGO_ARGS+=(--release)
     RUST_BUILD_MODE="release"
-    CPP_BUILD_MODE="Release"
     NPM_PACK_ARGS+=(--release)
 else
     RUST_BUILD_MODE="debug"
     NPM_PACK_ARGS+=(--no-compression)
+fi
+# The cargo builds that are part of the C++ builds only enforce `--locked` when built
+# in release mode. And we must enforce `--locked` for all signed builds. So we enable
+# release mode if either optimizations or signing is enabled.
+if [[ "$OPTIMIZE" == "true" || "$SIGN" == "true" ]]; then
+    CPP_BUILD_MODE="Release"
+else
     CPP_BUILD_MODE="Debug"
 fi
 
@@ -116,6 +122,11 @@ if [[ "$SIGN" == "true" ]]; then
         exit 1
     fi
 
+    # Will not allow an outdated lockfile when building with signatures
+    # (The build servers should never build without --locked for
+    # reproducibility and supply chain security)
+    CARGO_ARGS+=(--locked)
+
     if [[ "$(uname -s)" == "Darwin" ]]; then
         log_info "Configuring environment for signing of binaries"
         if [[ -z ${CSC_LINK-} ]]; then
@@ -156,9 +167,6 @@ fi
 if [[ "$IS_RELEASE" == "true" ]]; then
     log_info "Removing old Rust build artifacts..."
     cargo clean
-
-    # Will not allow an outdated lockfile in releases
-    CARGO_ARGS+=(--locked)
 else
     # Allow dev builds to override which API server to use at runtime.
     CARGO_ARGS+=(--features api-override)
diff --git a/desktop/packages/nseventforwarder/package.json b/desktop/packages/nseventforwarder/package.json
index c174d530b279..a85821c7ad9d 100644
--- a/desktop/packages/nseventforwarder/package.json
+++ b/desktop/packages/nseventforwarder/package.json
@@ -8,8 +8,8 @@
   "scripts": {
     "cargo-build": "tsc && cargo build",
     "build-debug": "npm run cargo-build && mkdir -p debug && cp ${CARGO_TARGET_DIR:-../../../target}/debug/libnseventforwarder.dylib debug/index.node",
-    "build-arm": "npm run cargo-build -- --release --target aarch64-apple-darwin && mkdir -p dist/darwin-arm64 && cp ${CARGO_TARGET_DIR:-../../../target}/aarch64-apple-darwin/release/libnseventforwarder.dylib dist/darwin-arm64/index.node",
-    "build-x86": "npm run cargo-build -- --release --target x86_64-apple-darwin && mkdir -p dist/darwin-x64 && cp ${CARGO_TARGET_DIR:-../../../target}/x86_64-apple-darwin/release/libnseventforwarder.dylib dist/darwin-x64/index.node",
+    "build-arm": "npm run cargo-build -- --release --locked --target aarch64-apple-darwin && mkdir -p dist/darwin-arm64 && cp ${CARGO_TARGET_DIR:-../../../target}/aarch64-apple-darwin/release/libnseventforwarder.dylib dist/darwin-arm64/index.node",
+    "build-x86": "npm run cargo-build -- --release --locked --target x86_64-apple-darwin && mkdir -p dist/darwin-x64 && cp ${CARGO_TARGET_DIR:-../../../target}/x86_64-apple-darwin/release/libnseventforwarder.dylib dist/darwin-x64/index.node",
     "clean": "rm -rf debug; rm -rf dist",
     "lint": "eslint .",
     "lint-fix": "eslint --fix ."
diff --git a/windows/nsis-plugins/src/cleanup/cleanup.vcxproj b/windows/nsis-plugins/src/cleanup/cleanup.vcxproj
index 324264a0c0f6..3dbb32ca652d 100644
--- a/windows/nsis-plugins/src/cleanup/cleanup.vcxproj
+++ b/windows/nsis-plugins/src/cleanup/cleanup.vcxproj
@@ -106,7 +106,7 @@
       <ModuleDefinitionFile>cleanup.def</ModuleDefinitionFile>
     </Link>
     <PreBuildEvent>
-      <Command>powershell.exe -Command "&amp; { Remove-Item Env:VSTEL_MSBuildProjectFullPath; cargo build --target i686-pc-windows-msvc --release -p mullvad-nsis }"
+      <Command>powershell.exe -Command "&amp; { Remove-Item Env:VSTEL_MSBuildProjectFullPath; cargo build --target i686-pc-windows-msvc --release --locked -p mullvad-nsis }"
 </Command>
       <Message>Build mullvad-nsis library</Message>
     </PreBuildEvent>
diff --git a/windows/nsis-plugins/src/log/log.vcxproj b/windows/nsis-plugins/src/log/log.vcxproj
index b80ae3545f34..b194f4684a1f 100644
--- a/windows/nsis-plugins/src/log/log.vcxproj
+++ b/windows/nsis-plugins/src/log/log.vcxproj
@@ -106,7 +106,7 @@
       <ModuleDefinitionFile>log.def</ModuleDefinitionFile>
     </Link>
     <PreBuildEvent>
-      <Command>powershell.exe -Command "&amp; { Remove-Item Env:VSTEL_MSBuildProjectFullPath; cargo build --target i686-pc-windows-msvc --release -p mullvad-nsis }"
+      <Command>powershell.exe -Command "&amp; { Remove-Item Env:VSTEL_MSBuildProjectFullPath; cargo build --target i686-pc-windows-msvc --release --locked -p mullvad-nsis }"
 </Command>
       <Message>Build mullvad-nsis library</Message>
     </PreBuildEvent>