diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1711e2b..3629f99 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,15 +1,19 @@
 name: Release
 
 on:
+  pull_request:
+    branches:
+      # Remove after debug.
+      - feature/notarization
   push:
     tags:
       - "*.*.*"
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v4
 
       # Tips on Go binary:
       # https://github.com/actions/setup-go/issues/27#issuecomment-549102955
@@ -18,6 +22,9 @@ jobs:
           export PATH=${PATH}:`go env GOPATH`/bin
           make install
           make build
+        env:
+          QUILL_SIGN_P12:      ${{ secrets.APPLE_P12_BASE64_ENCODED }}
+          QUILL_SIGN_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
 
       - name: Create a release and upload assets
         env:
diff --git a/.gitignore b/.gitignore
index 08d0020..8fca7c0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,7 @@
 .vscode
 build
 coverage.txt
+quill
 
 # Only applies to top-level directories.
 /coverage
diff --git a/Makefile b/Makefile
index 2fde92c..00c6b53 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ BUILD := ./build
 
 install:
 	go install github.com/mitchellh/gox@latest
+	curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b . v0.4.2
 
 clean:
 	mkdir -p $(BUILD)
@@ -32,6 +33,11 @@ build-darwin: clean
 	gox -output="$(BUILD)/{{.Dir}}_{{.OS}}_{{.Arch}}" \
 		-osarch="darwin/amd64" \
 		-osarch="darwin/arm64"
+
+	@echo "Notarizing.."
+	./quill sign-and-notarize ./build/release_darwin_amd64 || true
+	./quill sign-and-notarize ./build/release_darwin_arm64 || true
+
 	@echo "Bundling.."
 	$(MAKE) bundle-nix