diff --git a/.travis.yml b/.travis.yml
index 3875add5..bbb5a58d 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,40 +2,10 @@ language: node_js
 node_js: 11
 
 stages:
-  - Build
-  - name: Docs
-    if: branch = master
+  - Docs
 
 jobs:
   include:
-    - stage: 'Build'
-      os: linux
-      before_install:
-        - set -e
-        - rm app/node_modules/.yarn-integrity || true
-        - yarn
-      script:
-        - set -e
-        - scripts/build-native.js
-        - yarn run build:typings
-        - yarn run build
-        - scripts/prepackage-plugins.js
-        - travis_wait scripts/build-linux.js
-
-    - stage: 'Build'
-      os: osx
-      before_install:
-        - set -e
-        - rm app/node_modules/.yarn-integrity || true
-        - yarn
-      script:
-        - set -e
-        - scripts/build-native.js
-        - yarn run build:typings
-        - yarn run build
-        - scripts/prepackage-plugins.js
-        - travis_wait scripts/build-macos.js
-
     - stage: 'Docs'
       os: linux
       if: branch = master
@@ -62,7 +32,6 @@ addons:
     - sourceline: 'deb https://dl.yarnpkg.com/debian/ stable main'
       key_url: 'https://dl.yarnpkg.com/debian/pubkey.gpg'
 
-
 cache:
   directories:
   - 'terminus-*/node_modules'
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 7fd6e93e..eb11e45a 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -179,6 +179,9 @@ jobs:
       CSC_KEY_PASSWORD: $(CSC_KEY_PASSWORD)
       BT_TOKEN: $(BT_TOKEN)
       GH_TOKEN: $(GH_TOKEN)
+      APPSTORE_USERNAME: $(APPSTORE_USERNAME)
+      APPSTORE_PASSWORD: $(APPSTORE_PASSWORD)
+      BRANCH: $[ variables['Build.SourceBranch'] ]
 
   - task: CopyFiles@2
     inputs:
diff --git a/build/mac/afterSignHook.js b/build/mac/afterSignHook.js
new file mode 100644
index 00000000..8a7aa7a9
--- /dev/null
+++ b/build/mac/afterSignHook.js
@@ -0,0 +1,35 @@
+// See: https://medium.com/@TwitterArchiveEraser/notarize-electron-apps-7a5f988406db
+
+const fs = require('fs')
+const path = require('path')
+const notarizer = require('electron-notarize')
+
+module.exports = async function (params) {
+    // notarize the app on Mac OS only.
+    if (process.platform !== 'darwin' || process.env.BRANCH !== 'refs/heads/master') {
+        return
+    }
+    console.log('afterSign hook triggered', params)
+
+    let appId = 'org.terminus'
+
+    let appPath = path.join(params.appOutDir, `${params.packager.appInfo.productFilename}.app`)
+    if (!fs.existsSync(appPath)) {
+        throw new Error(`Cannot find application at: ${appPath}`)
+    }
+
+    console.log(`Notarizing ${appId} found at ${appPath}`)
+
+    try {
+        await notarizer.notarize({
+            appBundleId: appId,
+            appPath: appPath,
+            appleId: process.env.APPSTORE_USERNAME,
+            appleIdPassword: process.env.APPSTORE_PASSWORD,
+        })
+    } catch (error) {
+        console.error(error)
+    }
+
+    console.log(`Done notarizing ${appId}`)
+}
diff --git a/build/mac/entitlements.plist b/build/mac/entitlements.plist
new file mode 100644
index 00000000..38c887b2
--- /dev/null
+++ b/build/mac/entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/package.json b/package.json
index 019f6cdd..a1bff8f4 100644
--- a/package.json
+++ b/package.json
@@ -18,6 +18,7 @@
     "electron": "^5.0.5",
     "electron-builder": "^20.44.4",
     "electron-installer-snap": "^4.0.0",
+    "electron-notarize": "^0.1.1",
     "electron-rebuild": "^1.8.5",
     "eslint": "^5.16.0",
     "file-loader": "^4.0.0",
@@ -58,6 +59,7 @@
     "appId": "org.terminus",
     "productName": "Terminus",
     "compression": "normal",
+    "afterSign": "./build/mac/afterSignHook.js",
     "files": [
       "**/*",
       "dist"
@@ -93,6 +95,8 @@
       "category": "public.app-category.video",
       "icon": "./build/mac/icon.icns",
       "artifactName": "terminus-${version}-macos.${ext}",
+      "hardenedRuntime": true,
+      "entitlements": "./build/mac/entitlements.plist",
       "extendInfo": {
         "NSRequiresAquaSystemAppearance": false
       }
diff --git a/yarn.lock b/yarn.lock
index 502138cb..24aa0226 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2006,6 +2006,14 @@ electron-localshortcut@^3.1.0:
     keyboardevent-from-electron-accelerator "^1.1.0"
     keyboardevents-areequal "^0.2.1"
 
+electron-notarize@^0.1.1:
+  version "0.1.1"
+  resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91"
+  integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^8.0.1"
+
 electron-osx-sign@0.4.11:
   version "0.4.11"
   resolved "https://registry.yarnpkg.com/electron-osx-sign/-/electron-osx-sign-0.4.11.tgz#8377732fe7b207969f264b67582ee47029ce092f"