--- a/.hgignore	Fri Jun 05 15:23:44 2020 +0100
+++ b/.hgignore	Fri Jun 05 16:53:23 2020 +0100
@@ -48,3 +48,5 @@
 build_win64_debug
 *.AppImage
 *.AppDir
+bundle
+bundle.zip

--- a/deploy/clean-build-and-package	Fri Jun 05 15:23:44 2020 +0100
+++ b/deploy/clean-build-and-package	Fri Jun 05 16:53:23 2020 +0100
@@ -31,6 +31,7 @@
     make clean
     make -j3
 
+    deploy/osx/sign.sh sonic-annotator
     deploy/osx/notarize.sh sonic-annotator
 
 else

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/osx/Entitlements.plist	Fri Jun 05 16:53:23 2020 +0100
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.app-sandbox</key>
+        <false/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-jit</key>
+	<true/>
+    </dict>
+</plist>

--- a/deploy/osx/notarize.sh	Fri Jun 05 15:23:44 2020 +0100
+++ b/deploy/osx/notarize.sh	Fri Jun 05 16:53:23 2020 +0100
@@ -29,7 +29,10 @@
 rm -f "$uuidfile" "$statfile"
 
 rm -f bundle.zip
-ditto -c -k "$exe" bundle.zip
+rm -rf bundle
+mkdir bundle
+cp "$exe" bundle/
+ditto -c -k bundle bundle.zip
 
 xcrun altool --notarize-app \
     -f "bundle.zip" \

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/osx/sign.sh	Fri Jun 05 16:53:23 2020 +0100
@@ -0,0 +1,18 @@
+#!/bin/bash 
+
+set -e
+
+exe="$1"
+
+if [ ! -f "$exe" ] || [ -n "$2" ]; then
+    echo "Usage: $0 <executable>"
+    echo "  e.g. $0 my-program"
+    exit 2
+fi
+
+set -u
+
+entitlements=deploy/osx/Entitlements.plist
+
+codesign -s "Developer ID Application: Chris Cannam" -fv --options runtime --entitlements "$entitlements" "$exe"
+