diff --git a/Makefile b/Makefile
index 97f1e97163db9ce53fdfe82615387f68870c888d..2759704b0f2251f053861f14013a95be24145d6a 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,8 @@ TARGET ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam binname |
 PROVIDER ?= $(shell grep ^'provider =' ${VENDOR_PATH}/vendor.conf | cut -d '=' -f 2 | tr -d "[:space:]")
 VERSION ?= $(shell git describe)
 WINCERTPASS ?= pass
+OSXAPPPASS  ?= pass
+OSXMORDORUID ?= uid
 
 # go paths
 GOPATH = $(shell go env GOPATH)
@@ -30,9 +32,8 @@ endif
 QTBUILD = build/qt
 INSTALLER = build/installer
 INST_DATA = ${INSTALLER}/packages/bitmaskvpn/data/
-OSX_CERT="Developer ID Installer: LEAP Encryption Access Project"
-MACDEPLOYQT_OPTS = -appstore-compliant -qmldir=gui/qml -always-overwrite
-# XXX expired cert -codesign="${OSX_CERT}"
+OSX_CERT="Developer ID Application: LEAP Encryption Access Project"
+MACDEPLOYQT_OPTS = -appstore-compliant -qmldir=gui/qml -always-overwrite -codesign="${OSX_CERT}"
 	
 SCRIPTS = branding/scripts
 TEMPLATES = branding/templates
@@ -67,7 +68,7 @@ dependsLinux:
 	@# debian needs also: snap install snapcraft --classic; snap install  multipass --beta --classic
 
 dependsDarwin:
-	@brew install python3 golang make pkg-config curl
+	@brew install python3 golang make pkg-config curl create-dmg
 	@brew install --default-names gnu-sed
 
 dependsCYGWIN_NT-10.0:
@@ -214,6 +215,33 @@ ifeq (${PLATFORM}, windows)
 	# TODO add flag to skip signing for regular builds
 	"c:\windows\system32\signtool.exe" sign -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/installer/${APPNAME}-installer-${VERSION}.exe
 endif
+ifeq (${PLATFORM}, darwin)
+	gsed -i "s/com.yourcompany.installerbase/se.leap.bitmask.${TARGET}/g" build/installer/${APPNAME}-installer-${VERSION}.app/Contents/Info.plist
+	codesign -s ${OSX_CERT} --options "runtime" build/installer/${APPNAME}-installer-${VERSION}.app
+	ditto -ck --rsrc --sequesterRsrc build/installer/${APPNAME}-installer-${VERSION}.app build/installer/${APPNAME}-installer-${VERSION}.zip
+endif
+
+notarize_installer:
+# courtesy of https://skyronic.com/2019/07/app-notarization-for-qt-applications/
+ifeq (${PLATFORM}, darwin)
+	xcrun altool --notarize-app -t osx -f build/installer/${APPNAME}-installer-${VERSION}.zip --primary-bundle-id="se.leap.bitmask.${TARGET}" -u "info@leap.se" -p ${OSXAPPPASS}
+endif
+
+notarize_check:
+ifeq (${PLATFORM}, darwin)
+	xcrun altool --notarization-info ${OSXMORDORUID} -u "info@leap.se" -p ${OSXAPPPASS}
+endif
+
+notarize_staple:
+ifeq (${PLATFORM}, darwin)
+	xcrun stapler staple build/installer/${APPNAME}-installer-${VERSION}.app
+endif
+
+create_dmg:
+ifeq (${PLATFORM}, darwin)
+	@create-dmg deploy/${APPNAME}-${VERSION}.dmg build/installer/${APPNAME}-installer-${VERSION}.app
+endif
+
 
 check_qtifw:
 ifdef HAS_QTIFW
diff --git a/bitmask.pro b/bitmask.pro
index e9b40db445e72ba69c6e1c0ec8acbd0328c7605b..32c701da39067e9ecde9177ce86170c49d5d7b21 100644
--- a/bitmask.pro
+++ b/bitmask.pro
@@ -5,6 +5,8 @@ windows:CONFIG -= console
 unix:DEBUG:CONFIG += debug
 lessThan(QT_MAJOR_VERSION, 5): error("requires Qt 5")
 QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.11
+QMAKE_TARGET_BUNDLE_PREFIX = se.leap
+QMAKE_BUNDLE = $$TARGET
 
 !defined(VENDOR_PATH, var):VENDOR_PATH="providers/riseup"
 
diff --git a/branding/templates/qtinstaller/config/config.xml b/branding/templates/qtinstaller/config/config.xml
index df7b6d4d810ebd76a546a704bcc58c058c77daff..0de8db972997a3810a6c8a7cfbda3502b153fa8f 100644
--- a/branding/templates/qtinstaller/config/config.xml
+++ b/branding/templates/qtinstaller/config/config.xml
@@ -4,6 +4,7 @@
     <Version>$VERSION</Version>
     <Title>$APPNAME Installer ($VERSION)</Title>
     <Publisher>LEAP Encryption Access Project</Publisher>
+    <ProductUrl>https://leap.se</ProductUrl>
     <AllowNonAsciiCharacters>false</AllowNonAsciiCharacters>
     <Logo>installer-logo.png</Logo>
     <InstallerApplicationIcon>installer-icon</InstallerApplicationIcon>
diff --git a/branding/templates/qtinstaller/installer.pro b/branding/templates/qtinstaller/installer.pro
index 3d653344423e359c89c972227a03834fcff10f88..6aab8434f616a827dec5743e90963f8aafe0bc95 100644
--- a/branding/templates/qtinstaller/installer.pro
+++ b/branding/templates/qtinstaller/installer.pro
@@ -1,4 +1,5 @@
 !defined(INSTALLER, var):INSTALLER= "BitmaskVPN-Installer-git"
+!defined(TARGET, var):TARGET= "bitmask-vpn"
 TEMPLATE = aux
 CONFIG -= debug_and_release
 
@@ -8,6 +9,8 @@ inst.output = $$INSTALLER
 inst.commands = binarycreator --ignore-translations -c $$PWD/config/config.xml -p $$PWD/packages ${QMAKE_FILE_OUT}
 inst.CONFIG += target_predeps no_link combine
 
+QMAKE_TARGET_BUNDLE_PREFIX = se.leap
+QMAKE_BUNDLE = $$TARGET
 QMAKE_EXTRA_COMPILERS += inst
 
 OTHER_FILES += \