diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1ac690d220..09412eee55 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -167,9 +167,7 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/v') && matrix.os == 'macos-latest'
         shell: bash
         run: |
-          scripts/desktop/build-lib-mac.sh
-          cd apps/multiplatform
-          ./gradlew packageDmg
+          scripts/desktop/build-desktop-mac-ci.sh
           echo "::set-output name=package_path::$(echo $PWD/release/main/dmg/SimpleX-*.dmg)"
 
       - name: Linux upload desktop package to release
diff --git a/apps/multiplatform/build.gradle.kts b/apps/multiplatform/build.gradle.kts
index bd5da47a14..5e0ae5eb47 100644
--- a/apps/multiplatform/build.gradle.kts
+++ b/apps/multiplatform/build.gradle.kts
@@ -1,6 +1,5 @@
-import org.gradle.initialization.Environment.Properties
 import java.io.File
-import java.io.FileInputStream
+import java.util.*
 
 buildscript {
     val prop = java.util.Properties().apply {
@@ -26,6 +25,17 @@ buildscript {
     extra.set("compression.level", (prop["compression.level"] as String?)?.toIntOrNull() ?: 0)
     // NOTE: If you need a different version of something, provide it in `local.properties`
     // like so: compose.version=123, or gradle.plugin.version=1.2.3, etc
+
+
+    /** Mac signing and notarization */
+    // You can specify `compose.desktop.mac.*` keys and values from the right side of the command in `$HOME/.gradle/gradle.properties`.
+    // This will be project-independent setup without requiring to have `local.properties` file
+    extra.set("desktop.mac.signing.identity", prop["desktop.mac.signing.identity"] ?: extra["compose.desktop.mac.signing.identity"])
+    extra.set("desktop.mac.signing.keychain", prop["desktop.mac.signing.keychain"] ?: extra["compose.desktop.mac.signing.keychain"])
+    extra.set("desktop.mac.notarization.apple_id", prop["desktop.mac.notarization.apple_id"] ?: extra["compose.desktop.mac.notarization.appleID"])
+    extra.set("desktop.mac.notarization.password", prop["desktop.mac.notarization.password"] ?: extra["compose.desktop.mac.notarization.password"])
+    extra.set("desktop.mac.notarization.team_id", prop["desktop.mac.notarization.team_id"] ?: extra["compose.desktop.mac.notarization.ascProvider"])
+
     repositories {
         google()
         mavenCentral()
diff --git a/apps/multiplatform/desktop/build.gradle.kts b/apps/multiplatform/desktop/build.gradle.kts
index 1d463a9ded..dc4aa89fbe 100644
--- a/apps/multiplatform/desktop/build.gradle.kts
+++ b/apps/multiplatform/desktop/build.gradle.kts
@@ -65,6 +65,23 @@ compose {
           iconFile.set(project.file("src/jvmMain/resources/distribute/simplex.icns"))
           appCategory = "public.app-category.social-networking"
           bundleID = "chat.simplex.app"
+          val identity = rootProject.extra["desktop.mac.signing.identity"] as String?
+          val keychain = rootProject.extra["desktop.mac.signing.keychain"] as String?
+          val appleId = rootProject.extra["desktop.mac.notarization.apple_id"] as String?
+          val password = rootProject.extra["desktop.mac.notarization.password"] as String?
+          val teamId = rootProject.extra["desktop.mac.notarization.team_id"] as String?
+          if (identity != null && keychain != null && appleId != null && password != null) {
+            signing {
+              sign.set(true)
+              this.identity.set(identity)
+              this.keychain.set(keychain)
+            }
+            notarization {
+              this.appleID.set(appleId)
+              this.password.set(password)
+              this.ascProvider.set(teamId)
+            }
+          }
         }
         val os = System.getProperty("os.name", "generic").toLowerCaseAsciiOnly()
         if (os.contains("mac") || os.contains("win")) {
diff --git a/apps/multiplatform/local.properties.example b/apps/multiplatform/local.properties.example
new file mode 100644
index 0000000000..8fa9a47963
--- /dev/null
+++ b/apps/multiplatform/local.properties.example
@@ -0,0 +1,10 @@
+compression.level=0
+enable_debuggable=true
+application_id.suffix=.debug
+app.name=SimpleX Debug
+
+#desktop.mac.signing.identity=SimpleX Chat Ltd
+#desktop.mac.signing.keychain=/path/to/simplex.keychain
+#desktop.mac.notarization.apple_id=example@example.com
+#desktop.mac.notarization.password=12345678
+#desktop.mac.notarization.team_id=XXXXXXXXXX
diff --git a/scripts/desktop/build-desktop-mac-ci.sh b/scripts/desktop/build-desktop-mac-ci.sh
new file mode 100755
index 0000000000..d11dfccb58
--- /dev/null
+++ b/scripts/desktop/build-desktop-mac-ci.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+trap "rm apps/multiplatform/local.properties; rm /tmp/simplex.keychain" EXIT
+echo "desktop.mac.signing.identity=Developer ID Application: SimpleX Chat Ltd (5NN7GUYB6T)" >> apps/multiplatform/local.properties
+echo "desktop.mac.signing.keychain=/tmp/simplex.keychain" >> apps/multiplatform/local.properties
+echo "desktop.mac.notarization.apple_id=$APPLE_SIMPLEX_NOTARIZATION_APPLE_ID" >> apps/multiplatform/local.properties
+echo "desktop.mac.notarization.password=$APPLE_SIMPLEX_NOTARIZATION_PASSWORD" >> apps/multiplatform/local.properties
+echo "desktop.mac.notarization.team_id=5NN7GUYB6T" >> apps/multiplatform/local.properties
+echo "$APPLE_SIMPLEX_SIGNING_KEYCHAIN" | base64 --decode - > /tmp/simplex.keychain
+
+scripts/desktop/build-lib-mac.sh
+cd apps/multiplatform
+./gradlew packageDmg
+./gradlew notarizeDmg