diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 65fc26d..560885a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -14,14 +14,51 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@v2
 
+      - name: Install codesign certificate
+        env:
+          # DEV_CERT_B64: Base64-encoded developer certificate as .p12
+          # DEV_CERT_PWD: Developer certificate .p12 password
+          # KEYCHAIN_TIMEOUT: Lock keychain after timeout interval
+          # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
+          DEV_CERT_B64: ${{ secrets.DEV_CERT_B64 }}
+          DEV_CERT_PWD: ${{ secrets.DEV_CERT_PWD }}
+          KEYCHAIN_TIMEOUT: 21600
+        run: |
+          DEV_CERT_P12="$RUNNER_TEMP/dev_cert.p12"
+          KEYCHAIN_DB="$RUNNER_TEMP/keychain.keychain-db"
+          KEYCHAIN_PWD=$(openssl rand -base64 24)
+          security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB"
+          security set-keychain-settings -lut "$KEYCHAIN_TIMEOUT" "$KEYCHAIN_DB"
+          security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB"
+          echo -n "$DEV_CERT_B64" | base64 --decode --output "$DEV_CERT_P12"
+          security import "$DEV_CERT_P12" -P "$DEV_CERT_PWD" -A -t cert -f pkcs12 -k "$KEYCHAIN_DB"
+          security list-keychain -d user -s "$KEYCHAIN_DB"
+
       - name: Building
         run: |
           swift build -c release --arch arm64 --arch x86_64
-          cd .build/apple/Products/Release/
-          zip codeedit-cli.zip codeedit-cli
-          cd ../../../../
 
-      # CODESIGN & NOTARIZE THE BINARY
+      - name: Sign 
+        env:
+          CODESIGN_SIGN: ${{ secrets.CODESIGN_SIGN }}
+        run: |
+          security find-identity -p basic -v
+          codesign --sign "$CODESIGN_SIGN" --prefix austincondiff.CodeEdit. --options=runtime --verbose --timestamp .build/apple/Products/Release/codeedit-cli
+
+      - name: Zip
+        run: zip -r .build/apple/Products/Release/codeedit-cli.zip .build/apple/Products/Release/codeedit-cli
+
+      - name: Notarize
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PWD: ${{ secrets.APPLE_ID_PWD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          xcrun notarytool submit ".build/apple/Products/Release/codeedit-cli.zip" --apple-id "$APPLE_ID" --password "$APPLE_ID_PWD" --team-id "$APPLE_TEAM_ID" --verbose --wait --output-format plist > "NotarizationResponse.plist"
+          status=`/usr/libexec/PlistBuddy -c "Print :status" "NotarizationResponse.plist"`
+          if [[ $status != "Accepted" ]]; then
+            exit 999
+          fi
 
       - name: Create Release
         id: create_release
@@ -33,7 +70,7 @@ jobs:
           release_name: ${{ github.ref }}
           draft: false
           prerelease: false
-      
+
       - name: Upload Release Asset
         uses: actions/upload-release-asset@v1
         env:
@@ -41,5 +78,10 @@ jobs:
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: .build/apple/Products/Release/codeedit-cli.zip
-          asset_name: codeedit-cli-binary.zip
+          asset_name: codeedit-cli-universal-binary.zip
           asset_content_type: application/zip
+
+      - name: Clean up keychain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain "$RUNNER_TEMP/keychain.keychain-db"