diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml
index f192a624ff..46661da9bd 100644
--- a/.github/workflows/goreleaser-fleet.yaml
+++ b/.github/workflows/goreleaser-fleet.yaml
@@ -58,6 +58,20 @@ jobs:
       - name: Install Go Dependencies
         run: make deps-go
 
+      - name: Install macOS signing + notarization tools
+        run: |
+          pushd /tmp
+          readonly version="0.27.0"
+          readonly codesign_package="apple-codesign-${version}-x86_64-unknown-linux-musl.tar.gz"
+          curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}"
+          curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}.sha256"
+          echo "$(cat $codesign_package.sha256)  $codesign_package" | sha256sum --quiet --strict --check -
+          tar --extract --strip-components 1 --file "$codesign_package"
+          mkdir -p $HOME/.bin
+          mv rcodesign $HOME/.bin/
+          echo "$HOME/.bin" >> $GITHUB_PATH
+          popd
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b
         with:
@@ -67,6 +81,11 @@ jobs:
         env:
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
+          APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
+          APPLE_APP_STORE_CONNECT_KEY: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY }}
+          APPLE_APP_STORE_CONNECT_KEY_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY_ID }}
+          APPLE_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}
 
       - name: Get tag
         run: |
diff --git a/.goreleaser.yml b/.goreleaser.yml
index e4fa880edc..ea4b437966 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -79,6 +79,9 @@ universal_binaries:
     ids: [fleetctl-macos] # source binaries
     replace: true
     name_template: fleetctl # resulting binary name
+    hooks:
+      post:
+        - sh -c "FLEETCTL_BINARY_PATH={{ .Path }} ./tools/sign-fleetctl/main.sh"
 
 archives:
   - id: fleet
diff --git a/tools/sign-fleetctl/main.sh b/tools/sign-fleetctl/main.sh
new file mode 100755
index 0000000000..6ce037956a
--- /dev/null
+++ b/tools/sign-fleetctl/main.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+check_env_var() {
+    if [[ -z "${!1}" ]]; then
+        echo "Error: Environment variable $1 not set."
+        exit 1
+    fi
+}
+
+# check required environment variables
+check_env_var "APPLE_APPLICATION_CERTIFICATE"
+check_env_var "APPLE_APPLICATION_CERTIFICATE_PASSWORD"
+check_env_var "APPLE_APP_STORE_CONNECT_KEY"
+check_env_var "APPLE_APP_STORE_CONNECT_KEY_ID"
+check_env_var "APPLE_APP_STORE_CONNECT_ISSUER_ID"
+check_env_var "FLEETCTL_BINARY_PATH"
+
+cleanup() {
+    echo "Cleaning up..."
+    rm -f certificate.p12
+    rm -rf private_keys
+    rm -f fleetctl.zip
+}
+
+# trap EXIT signal to call cleanup function
+trap cleanup EXIT
+
+echo "Signing binary..."
+printf "%s" "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
+rcodesign sign --p12-file certificate.p12 \
+               --p12-password "$APPLE_APPLICATION_CERTIFICATE_PASSWORD" \
+               --for-notarization "$FLEETCTL_BINARY_PATH"
+
+echo "Notarizing binary..."
+mkdir -p private_keys
+printf "%s" "$APPLE_APP_STORE_CONNECT_KEY" > "private_keys/AuthKey_$APPLE_APP_STORE_CONNECT_KEY_ID.p8"
+zip fleetctl.zip "$FLEETCTL_BINARY_PATH"
+rcodesign notary-submit \
+          --api-issuer "$APPLE_APP_STORE_CONNECT_ISSUER_ID" \
+          --api-key "$APPLE_APP_STORE_CONNECT_KEY_ID" \
+          --wait --max-wait-seconds 300 fleetctl.zip
+