diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cdd08b403..938581a8a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -181,9 +181,33 @@ jobs:
       - name: Build CLI
         if: matrix.target != 'aarch64-unknown-linux-gnu'
         run: cargo build --release --target ${{ matrix.target }} --bin openfang
-      - name: Ad-hoc codesign CLI binary (macOS)
+      - name: Import macOS signing certificate
+        if: runner.os == 'macOS'
+        env:
+          MAC_CERT_BASE64: ${{ secrets.MAC_CERT_BASE64 }}
+          MAC_CERT_PASSWORD: ${{ secrets.MAC_CERT_PASSWORD }}
+        run: |
+          echo "$MAC_CERT_BASE64" | base64 --decode > $RUNNER_TEMP/certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import $RUNNER_TEMP/certificate.p12 -P "$MAC_CERT_PASSWORD" \
+            -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" \
+            | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}')
+          echo "APPLE_SIGNING_IDENTITY=$IDENTITY" >> $GITHUB_ENV
+          rm -f $RUNNER_TEMP/certificate.p12
+      - name: Codesign CLI binary (macOS)
         if: runner.os == 'macOS'
-        run: codesign --force --sign - target/${{ matrix.target }}/release/openfang
+        run: |
+          codesign --force --sign "$APPLE_SIGNING_IDENTITY" \
+            --timestamp --options runtime \
+            target/${{ matrix.target }}/release/openfang
       - name: Package (Unix)
         if: matrix.archive == 'tar.gz'
         run: |
diff --git a/scripts/install.sh b/scripts/install.sh
index 7e645bf5b..4fbfa1e3d 100644
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -110,9 +110,15 @@ install() {
     tar xzf "$ARCHIVE" -C "$INSTALL_DIR"
     chmod +x "$INSTALL_DIR/openfang"
 
-    # Ad-hoc codesign on macOS (prevents SIGKILL on Apple Silicon)
-    if [ "$OS" = "darwin" ] && command -v codesign &>/dev/null; then
-        codesign --force --sign - "$INSTALL_DIR/openfang" 2>/dev/null || true
+    # macOS: strip quarantine/provenance attrs and re-sign for Apple Silicon
+    if [ "$OS" = "darwin" ]; then
+        xattr -cr "$INSTALL_DIR/openfang" 2>/dev/null || true
+        if command -v codesign &>/dev/null; then
+            if ! codesign --force --sign - "$INSTALL_DIR/openfang" 2>&1; then
+                echo "  Warning: codesign failed. Run manually:"
+                echo "    codesign --force --sign - \"$INSTALL_DIR/openfang\""
+            fi
+        fi
     fi
 
     # Add to PATH — detect the user's login shell