diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 3cbe698..304c53e 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -69,6 +69,10 @@ builds:
     {{- else }}{{ .Arch }}{{ end }}
     {{- if .Arm }}-{{ .Arm }}{{ end }}
   no_unique_dist_dir: true
+  hooks:
+    post:
+      - cmd: ./script/sign '{{ .Path }}'
+        output: true  
 
 archives:
   - format: binary
diff --git a/script/sign b/script/sign
new file mode 100755
index 0000000..ba1e4e3
--- /dev/null
+++ b/script/sign
@@ -0,0 +1,42 @@
+#!/bin/bash
+# usage: script/sign <file>
+#
+# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool, and signs
+# Windows EXE and MSI files using osslsigncode.
+#
+set -e
+
+sign_macos() {
+    if [ -z "$APPLE_DEVELOPER_ID" ]; then
+        echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
+        return 0
+    fi
+
+    if [[ $1 == *.zip ]]; then
+        xcrun notarytool submit "$1" --apple-id "${APPLE_ID?}" --team-id "${APPLE_DEVELOPER_ID?}" --password "${APPLE_ID_PASSWORD?}"
+    else
+        codesign --timestamp --options=runtime -s "${APPLE_DEVELOPER_ID?}" -v "$1"
+    fi
+}
+
+if [ $# -eq 0 ]; then
+    echo "usage: script/sign <file>" >&2
+    exit 1
+fi
+
+platform="$(uname -s)"
+
+for input_file; do
+    case "$input_file" in
+    *.exe | *.msi)
+        sign_windows "$input_file"
+        ;;
+    *)
+        if [ "$platform" = "Darwin" ]; then
+            sign_macos "$input_file"
+        else
+            printf "warning: don't know how to sign %s on %s\n" "$1", "$platform" >&2
+        fi
+        ;;
+    esac
+done