diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release.yml
similarity index 51%
rename from .github/workflows/release-linux.yml
rename to .github/workflows/release.yml
index 45f1ae57..ad68e72c 100644
--- a/.github/workflows/release-linux.yml
+++ b/.github/workflows/release.yml
@@ -1,8 +1,9 @@
 on:
   workflow_dispatch:
+  push:
 
 jobs:
-  build:
+  build-linux:
     strategy:
       fail-fast: false
       matrix:
@@ -21,13 +22,41 @@ jobs:
         run: |
           docker compose run --build --rm xtool -c "Linux/build.sh && mv Linux/packages/xtool{,-${{ matrix.host.arch }}}.AppImage"
       - name: Upload artifact
-        id: upload_artifact
         uses: actions/upload-artifact@v4
         with:
           name: xtool-${{ matrix.host.arch }}
           path: Linux/packages/xtool-${{ matrix.host.arch }}.AppImage
+  build-mac:
+    runs-on: macos-15
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          working-directory: macOS
+          bundler-cache: true
+      - name: Build
+        env:
+          APP_STORE_CONNECT_API_KEY_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_KEY_ID }}
+          APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
+          APP_STORE_CONNECT_API_KEY_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY_KEY }}
+          IDENTITY_P12: ${{ secrets.IDENTITY_P12 }}
+          DEVELOPMENT_TEAM: ${{ secrets.DEVELOPMENT_TEAM }}
+        run: |
+          cd macOS
+          bundle exec fastlane package
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: xtool-mac
+          path: |
+            macOS/Build/Output/xtool.app.zip
+            macOS/Build/Output/xtool.app.dSYM.zip
   release:
-    needs: build
+    needs: [build-linux, build-mac]
     runs-on: ubuntu-24.04
     permissions:
       contents: write
@@ -36,14 +65,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Download artifact
-        id: download_artifact
         uses: actions/download-artifact@v4
         with:
           pattern: xtool-*
           path: output
       - name: Create and publish release
-        id: publish_release
         run: |
           TAG="${GITHUB_REF##*/}-${GITHUB_SHA:0:7}"
           gh release create "$TAG" --draft --title "Draft Release"
-          gh release upload "$TAG" output/**/*.AppImage
+          gh release upload "$TAG" output/**/*.{AppImage,app.zip,app.dSYM.zip}
diff --git a/macOS/.gitignore b/macOS/.gitignore
index e2b06cdb..3a09e373 100644
--- a/macOS/.gitignore
+++ b/macOS/.gitignore
@@ -1,2 +1,7 @@
 /XToolMac.xcodeproj
 Private*.xcconfig
+
+/fastlane/README.md
+/fastlane/report.xml
+/Build
+/Private
diff --git a/macOS/.ruby-version b/macOS/.ruby-version
new file mode 100644
index 00000000..6cb9d3dd
--- /dev/null
+++ b/macOS/.ruby-version
@@ -0,0 +1 @@
+3.4.3
diff --git a/macOS/Gemfile b/macOS/Gemfile
new file mode 100644
index 00000000..02b672ee
--- /dev/null
+++ b/macOS/Gemfile
@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gem 'fastlane'
+gem 'fastlane-plugin-xcodegen'
+
+# https://github.com/fastlane/fastlane/issues/29183#issuecomment-2567093826
+gem "abbrev"
+gem "mutex_m"
+gem "ostruct"
diff --git a/macOS/Gemfile.lock b/macOS/Gemfile.lock
new file mode 100644
index 00000000..29aa2fb2
--- /dev/null
+++ b/macOS/Gemfile.lock
@@ -0,0 +1,236 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    CFPropertyList (3.0.7)
+      base64
+      nkf
+      rexml
+    abbrev (0.1.2)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    artifactory (3.0.17)
+    atomos (0.1.3)
+    aws-eventstream (1.3.2)
+    aws-partitions (1.1102.0)
+    aws-sdk-core (3.223.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      jmespath (~> 1, >= 1.6.1)
+      logger
+    aws-sdk-kms (1.100.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.185.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.11.0)
+      aws-eventstream (~> 1, >= 1.0.2)
+    babosa (1.0.4)
+    base64 (0.2.0)
+    claide (1.1.0)
+    colored (1.2)
+    colored2 (3.1.2)
+    commander (4.6.0)
+      highline (~> 2.0.0)
+    declarative (0.0.20)
+    digest-crc (0.7.0)
+      rake (>= 12.0.0, < 14.0.0)
+    domain_name (0.6.20240107)
+    dotenv (2.8.1)
+    emoji_regex (3.2.3)
+    excon (0.112.0)
+    faraday (1.10.4)
+      faraday-em_http (~> 1.0)
+      faraday-em_synchrony (~> 1.0)
+      faraday-excon (~> 1.1)
+      faraday-httpclient (~> 1.0)
+      faraday-multipart (~> 1.0)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.0)
+      faraday-patron (~> 1.0)
+      faraday-rack (~> 1.0)
+      faraday-retry (~> 1.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-cookie_jar (0.0.7)
+      faraday (>= 0.8.0)
+      http-cookie (~> 1.0.0)
+    faraday-em_http (1.0.0)
+    faraday-em_synchrony (1.0.0)
+    faraday-excon (1.1.0)
+    faraday-httpclient (1.0.1)
+    faraday-multipart (1.1.0)
+      multipart-post (~> 2.0)
+    faraday-net_http (1.0.2)
+    faraday-net_http_persistent (1.2.0)
+    faraday-patron (1.0.0)
+    faraday-rack (1.0.0)
+    faraday-retry (1.0.3)
+    faraday_middleware (1.2.1)
+      faraday (~> 1.0)
+    fastimage (2.4.0)
+    fastlane (2.227.2)
+      CFPropertyList (>= 2.3, < 4.0.0)
+      addressable (>= 2.8, < 3.0.0)
+      artifactory (~> 3.0)
+      aws-sdk-s3 (~> 1.0)
+      babosa (>= 1.0.3, < 2.0.0)
+      bundler (>= 1.12.0, < 3.0.0)
+      colored (~> 1.2)
+      commander (~> 4.6)
+      dotenv (>= 2.1.1, < 3.0.0)
+      emoji_regex (>= 0.1, < 4.0)
+      excon (>= 0.71.0, < 1.0.0)
+      faraday (~> 1.0)
+      faraday-cookie_jar (~> 0.0.6)
+      faraday_middleware (~> 1.0)
+      fastimage (>= 2.1.0, < 3.0.0)
+      fastlane-sirp (>= 1.0.0)
+      gh_inspector (>= 1.1.2, < 2.0.0)
+      google-apis-androidpublisher_v3 (~> 0.3)
+      google-apis-playcustomapp_v1 (~> 0.1)
+      google-cloud-env (>= 1.6.0, < 2.0.0)
+      google-cloud-storage (~> 1.31)
+      highline (~> 2.0)
+      http-cookie (~> 1.0.5)
+      json (< 3.0.0)
+      jwt (>= 2.1.0, < 3)
+      mini_magick (>= 4.9.4, < 5.0.0)
+      multipart-post (>= 2.0.0, < 3.0.0)
+      naturally (~> 2.2)
+      optparse (>= 0.1.1, < 1.0.0)
+      plist (>= 3.1.0, < 4.0.0)
+      rubyzip (>= 2.0.0, < 3.0.0)
+      security (= 0.1.5)
+      simctl (~> 1.6.3)
+      terminal-notifier (>= 2.0.0, < 3.0.0)
+      terminal-table (~> 3)
+      tty-screen (>= 0.6.3, < 1.0.0)
+      tty-spinner (>= 0.8.0, < 1.0.0)
+      word_wrap (~> 1.0.0)
+      xcodeproj (>= 1.13.0, < 2.0.0)
+      xcpretty (~> 0.4.1)
+      xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
+    fastlane-plugin-brew (0.1.1)
+    fastlane-plugin-xcodegen (1.1.0)
+      fastlane-plugin-brew (~> 0.1.1)
+    fastlane-sirp (1.0.0)
+      sysrandom (~> 1.0)
+    gh_inspector (1.1.3)
+    google-apis-androidpublisher_v3 (0.54.0)
+      google-apis-core (>= 0.11.0, < 2.a)
+    google-apis-core (0.11.3)
+      addressable (~> 2.5, >= 2.5.1)
+      googleauth (>= 0.16.2, < 2.a)
+      httpclient (>= 2.8.1, < 3.a)
+      mini_mime (~> 1.0)
+      representable (~> 3.0)
+      retriable (>= 2.0, < 4.a)
+      rexml
+    google-apis-iamcredentials_v1 (0.17.0)
+      google-apis-core (>= 0.11.0, < 2.a)
+    google-apis-playcustomapp_v1 (0.13.0)
+      google-apis-core (>= 0.11.0, < 2.a)
+    google-apis-storage_v1 (0.31.0)
+      google-apis-core (>= 0.11.0, < 2.a)
+    google-cloud-core (1.8.0)
+      google-cloud-env (>= 1.0, < 3.a)
+      google-cloud-errors (~> 1.0)
+    google-cloud-env (1.6.0)
+      faraday (>= 0.17.3, < 3.0)
+    google-cloud-errors (1.5.0)
+    google-cloud-storage (1.47.0)
+      addressable (~> 2.8)
+      digest-crc (~> 0.4)
+      google-apis-iamcredentials_v1 (~> 0.1)
+      google-apis-storage_v1 (~> 0.31.0)
+      google-cloud-core (~> 1.6)
+      googleauth (>= 0.16.2, < 2.a)
+      mini_mime (~> 1.0)
+    googleauth (1.8.1)
+      faraday (>= 0.17.3, < 3.a)
+      jwt (>= 1.4, < 3.0)
+      multi_json (~> 1.11)
+      os (>= 0.9, < 2.0)
+      signet (>= 0.16, < 2.a)
+    highline (2.0.3)
+    http-cookie (1.0.8)
+      domain_name (~> 0.5)
+    httpclient (2.9.0)
+      mutex_m
+    jmespath (1.6.2)
+    json (2.11.3)
+    jwt (2.10.1)
+      base64
+    logger (1.7.0)
+    mini_magick (4.13.2)
+    mini_mime (1.1.5)
+    multi_json (1.15.0)
+    multipart-post (2.4.1)
+    mutex_m (0.3.0)
+    nanaimo (0.4.0)
+    naturally (2.2.1)
+    nkf (0.2.0)
+    optparse (0.6.0)
+    os (1.1.4)
+    ostruct (0.6.1)
+    plist (3.7.2)
+    public_suffix (6.0.2)
+    rake (13.2.1)
+    representable (3.2.0)
+      declarative (< 0.1.0)
+      trailblazer-option (>= 0.1.1, < 0.2.0)
+      uber (< 0.2.0)
+    retriable (3.1.2)
+    rexml (3.4.1)
+    rouge (3.28.0)
+    ruby2_keywords (0.0.5)
+    rubyzip (2.4.1)
+    security (0.1.5)
+    signet (0.20.0)
+      addressable (~> 2.8)
+      faraday (>= 0.17.5, < 3.a)
+      jwt (>= 1.5, < 3.0)
+      multi_json (~> 1.10)
+    simctl (1.6.10)
+      CFPropertyList
+      naturally
+    sysrandom (1.0.5)
+    terminal-notifier (2.0.0)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    trailblazer-option (0.1.2)
+    tty-cursor (0.7.1)
+    tty-screen (0.8.2)
+    tty-spinner (0.9.3)
+      tty-cursor (~> 0.7)
+    uber (0.1.0)
+    unicode-display_width (2.6.0)
+    word_wrap (1.0.0)
+    xcodeproj (1.27.0)
+      CFPropertyList (>= 2.3.3, < 4.0)
+      atomos (~> 0.1.3)
+      claide (>= 1.0.2, < 2.0)
+      colored2 (~> 3.1)
+      nanaimo (~> 0.4.0)
+      rexml (>= 3.3.6, < 4.0)
+    xcpretty (0.4.1)
+      rouge (~> 3.28.0)
+    xcpretty-travis-formatter (1.0.1)
+      xcpretty (~> 0.2, >= 0.0.7)
+
+PLATFORMS
+  arm64-darwin-24
+  ruby
+
+DEPENDENCIES
+  abbrev
+  fastlane
+  fastlane-plugin-xcodegen
+  mutex_m
+  ostruct
+
+BUNDLED WITH
+   2.6.7
diff --git a/macOS/fastlane/Appfile b/macOS/fastlane/Appfile
new file mode 100644
index 00000000..94c5a447
--- /dev/null
+++ b/macOS/fastlane/Appfile
@@ -0,0 +1 @@
+app_identifier("sh.xtool.XToolMac")
diff --git a/macOS/fastlane/Fastfile b/macOS/fastlane/Fastfile
new file mode 100644
index 00000000..0dbfea92
--- /dev/null
+++ b/macOS/fastlane/Fastfile
@@ -0,0 +1,66 @@
+default_platform(:mac)
+
+ENV["FASTLANE_XCODEBUILD_SETTINGS_TIMEOUT"] = "120"
+
+lane :package do
+  xcodegen
+
+  # Config is controlled via env vars
+  app_store_connect_api_key(
+    is_key_content_base64: true,
+  )
+
+  create_keychain(
+    name: "xtool.keychain",
+    password: "",
+    unlock: true,
+  )
+
+  unlock_keychain(
+    path: "xtool.keychain",
+    password: "",
+  )
+
+  Tempfile.create(["Identity", ".p12"]) do |file|
+    file.write(Base64.decode64(ENV["IDENTITY_P12"]))
+    file.close
+    import_certificate(
+      certificate_path: file.path,
+      keychain_name: "xtool.keychain",
+      keychain_password: "",
+    )
+  end
+
+  sigh(
+    platform: "macos",
+    output_path: "./Build/Signing",
+    force: true,
+    developer_id: true,
+  )
+
+  update_code_signing_settings(
+    use_automatic_signing: false,
+    team_id: ENV["DEVELOPMENT_TEAM"],
+    code_sign_identity: "Developer ID Application",
+    profile_name: lane_context[SharedValues::SIGH_NAME],
+  )
+
+  gym(
+    export_method: "developer-id",
+    output_directory: "./Build/Output",
+  )
+
+  notarize(
+    package: "./Build/Output/xtool.app",
+  )
+
+  # we need to re-package after notarization and stapling.
+  # we have to use `ditto --sequesterRsrc` rather than zip
+  # because the default strategy stores resource forks as
+  # ._Foo but codesigning doesn't like that, and instead
+  # wants them in __MACOSX.
+  sh(
+    "ditto", "-c", "-k", "--keepParent", "--sequesterRsrc",
+    "../Build/Output/xtool.app", "../Build/Output/xtool.app.zip",
+  )
+end