diff --git a/.github/add_signing_key.sh b/.github/add_signing_key.sh
new file mode 100755
index 00000000..689e2cad
--- /dev/null
+++ b/.github/add_signing_key.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+tar xvf secrets.tar
+KEY_CHAIN=mac-build.keychain
+
+# Create the keychain with a password
+security create-keychain -p travis $KEY_CHAIN
+
+# Make the custom keychain default, so xcodebuild will use it for signing
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain for one hour
+security unlock-keychain -p travis $KEY_CHAIN
+security set-keychain-settings -t 3600 -u $KEY_CHAIN
+
+# Add certificates to keychain and allow codesign to access them
+curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer
+security import AppleWWDRCA.cer  -k  ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
+security import certificate.cer  -k  ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
+security import certificate.p12  -k  ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD -T /usr/bin/codesign
+security unlock-keychain -p travis $KEY_CHAIN
+
+# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
+security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN
+popd
diff --git a/.github/remove_signing_key.sh b/.github/remove_signing_key.sh
new file mode 100755
index 00000000..218471c5
--- /dev/null
+++ b/.github/remove_signing_key.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+security delete-keychain mac-build.keychain
+rm -f certificate.cer certificate.p12
+popd
diff --git a/.github/secrets.tar.enc b/.github/secrets.tar.enc
new file mode 100644
index 00000000..20690baa
Binary files /dev/null and b/.github/secrets.tar.enc differ
diff --git a/.travis.yml b/.travis.yml
index 23d5c7e3..873fb530 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -65,12 +65,17 @@ addons:
 before_install:
   # brew install gengetopt help2man cmocka ccache llvm;
   # export PATH="/usr/local/opt/ccache/libexec:/usr/local/opt/llvm/bin:$PATH";
+  # add magic notarization flags for macOS, see https://github.com/akeru-inc/xcnotary/blob/master/README.md
   - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
         brew update;
         brew uninstall libtool;
         brew install libtool;
         brew install gengetopt help2man cmocka ccache;
         export PATH="/usr/local/opt/ccache/libexec:$PATH";
+        openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
+        .github/add_signing_key.sh;
+        export OTHER_CODE_SIGN_FLAGS=--timestamp CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual;
+        git clone https://github.com/frankmorgner/OpenSCToken.git;
     fi
   - if [ "${DO_SIMULATION}" = "cac" ]; then
         sudo apt-get install -y libglib2.0-dev libnss3-dev  pkgconf libtool make autoconf autoconf-archive automake libsofthsm2-dev softhsm2 softhsm2-common help2man gnutls-bin libcmocka-dev libusb-dev libudev-dev flex libnss3-tools libssl-dev libpcsclite1;
@@ -309,6 +314,10 @@ after_script:
       git config --global user.name "Travis CI";
       .github/push_artifacts.sh "Travis CI build ${TRAVIS_JOB_NUMBER}";
     fi
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
+      .github/remove_signing_key.sh;
+      rm -f .github/secrets.tar;
+    fi
 
 before_cache:
   - brew cleanup
@@ -319,6 +328,8 @@ cache:
   directories:
     - $HOME/.m2/
     - $HOME/Library/Caches/Homebrew
+    - openssl
+    - openpace
     - openssl_bin
     - openpace_bin
     - isetup
diff --git a/MacOSX/build-package.in b/MacOSX/build-package.in
index 53248ac7..fb9979c1 100755
--- a/MacOSX/build-package.in
+++ b/MacOSX/build-package.in
@@ -19,6 +19,13 @@ SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
 # Set SDK path
 export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"
 
+# xcodebuild doesn't read the environment variables
+# transform them into parameters
+P1="${CODE_SIGN_IDENTITY:+CODE_SIGN_IDENTITY=${CODE_SIGN_IDENTITY}}"
+P2="${OTHER_CODE_SIGN_FLAGS:+OTHER_CODE_SIGN_FLAGS=${OTHER_CODE_SIGN_FLAGS}}"
+P3="${CODE_SIGN_INJECT_BASE_ENTITLEMENTS:+CODE_SIGN_INJECT_BASE_ENTITLEMENTS=${CODE_SIGN_INJECT_BASE_ENTITLEMENTS}}"
+P4="${CODE_SIGN_STYLE:+CODE_SIGN_STYLE=${CODE_SIGN_STYLE}}"
+
 export SED=/usr/bin/sed
 PREFIX=/Library/OpenSC
 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
@@ -90,7 +97,7 @@ fi
 if ! test -e NotificationProxy; then
 	git clone http://github.com/frankmorgner/NotificationProxy.git
 fi
-xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
+xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ "$P1" "$P2" "$P3" "$P4"
 mkdir -p "$BUILDPATH/target/Applications"
 osacompile -o "$BUILDPATH/target/Applications/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
 
@@ -106,7 +113,7 @@ if (( xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)\.[0-9]*/\1/p' <
 	test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src
 
 	# Build and copy OpenSC.tokend
-	xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
+	xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend "$P1" $P2 "$P3" "$P4"
 else
 	# https://github.com/OpenSC/OpenSC.tokend/issues/33
 	mkdir -p ${BUILDPATH}/target_tokend
@@ -139,24 +146,25 @@ if test -e OpenSCToken; then
 	cd OpenSCToken
 	# make sure OpenSCToken builds with the same dependencies as before
 	if ! test -e OpenSC; then
-		git clone --depth=1 ../../OpenSC
+		git clone --depth=1 file://$PWD/../../OpenSC
 	else
 		cd OpenSC && git pull && cd ..
 	fi
-	if ! test -e openssl; then
-		git clone --depth=1 ../openssl
-	else
-		cd openssl && git pull && cd ..
+	mkdir -p build
+	if ! test -e build/openssl; then
+		# build/openssl/lib/libcrypto.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openssl_bin/$PREFIX build/openssl
+		# in OpenSCToken's variant of OpenSC we still use OpenSSL flags from above
 	fi
-	if ! test -e openpace; then
-		git clone --depth=1 ../openpace
-	else
-		cd openpace && git pull && cd ..
+	if ! test -e build/openpace; then
+		# build/openpace/lib/libeac.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openpace_bin/$PREFIX build/openpace
+		# in OpenSCToken's variant of OpenSC we still use OpenPACE flags from above
 	fi
 	BP=${BUILDPATH}
 	. ./bootstrap
 	BUILDPATH=${BP}
-	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token
+	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token  "$P1" "$P2" "$P3" "$P4"
 	cd ..
 else
 	# if no OpenSCToken is checked out, then we create a dummy package