diff --git a/bin/sign.sh b/bin/sign.sh
old mode 100644
new mode 100755
index 6d678e0..c645a16
--- a/bin/sign.sh
+++ b/bin/sign.sh
@@ -6,41 +6,74 @@ echo -e "\033[1;33m[sign]\033[0m"
 
 appDir=app
 
-if [ ! "$THUMBPRINT" ]; then
-  echo "[ERROR] THUMBPRINT environment variable unset; cannot sign EXEs."
-  exit 1
-fi
-
-# Find the correct signtool.exe.
-arch=$(uname -m)
-case "$arch" in
-  x86_64) arch=x64 ;;
+sign_linux() {
+  echo "[INFO] Signing complete! Nothing was signed, because Linux binaries just work,"
+  echo "[INFO] without invasively asking for permission from corporate overlords."
+}
+
+sign_macos() {
+  if [ ! "$DEV_ID" ]
+  then
+    echo "[ERROR] DEV_ID environment variable unset; cannot sign executables."
+    exit 1
+  fi
+  for exe in "$appDir/Contents/MacOS/"*-macos-*
+  do
+    codesign --force --options runtime \
+      --entitlements sign/entitlements.plist \
+      --sign "$DEV_ID" "$exe"
+    codesign -vv "$exe"
+  done
+
+  echo "[INFO] Signing complete!"
+}
+
+sign_windows() {
+  if [ ! "$THUMBPRINT" ]; then
+    echo "[ERROR] THUMBPRINT environment variable unset; cannot sign EXEs."
+    exit 1
+  fi
+
+  # Find the correct signtool.exe.
+  arch=$(uname -m)
+  case "$arch" in
+    x86_64) arch=x64 ;;
+  esac
+  signtool=$(
+    find '/c/Program Files'*'/Windows Kits' -name signtool.exe |
+      grep "/$arch/" | head -n1
+  )
+
+  if [ -f "$signtool" ]
+  then
+    echo "Found signtool.exe at: $signtool"
+  else
+    echo "[ERROR] signtool.exe not found at: $signtool"
+    exit 1
+  fi
+
+  if [ ! "$TIMESTAMP_SERVER" ]; then
+    TIMESTAMP_SERVER="http://time.certum.pl/"
+  fi
+
+  "$signtool" sign /sha1 "$THUMBPRINT" \
+    /tr "$TIMESTAMP_SERVER" \
+    /td SHA256 /fd SHA256 /v \
+    "$appDir\\"*.exe \
+    "$appDir\\jaunch\\jaunch-windows-"*.exe &&
+
+  "$signtool" verify /pa /all \
+    "$appDir\\"*.exe \
+    "$appDir\\jaunch\\jaunch-windows-"*.exe
+
+  echo "[INFO] Signing complete!"
+}
+
+case "$(uname -s)" in
+  Linux) sign_linux ;;
+  Darwin) sign_macos ;;
+  MINGW*|MSYS*) sign_windows ;;
+  *)
+    echo "[WARNING] Don't know how to sign binaries for platform: $(uname -s)"
+  ;;
 esac
-signtool=$(
-  find '/c/Program Files'*'/Windows Kits' -name signtool.exe |
-    grep "/$arch/" | head -n1
-)
-
-if [ -f "$signtool" ]
-then
-  echo "Found signtool.exe at: $signtool"
-else
-  echo "[ERROR] signtool.exe not found at: $signtool"
-  exit 1
-fi
-
-if [ ! "$TIMESTAMP_SERVER" ]; then
-  TIMESTAMP_SERVER="http://time.certum.pl/"
-fi
-
-"$signtool" sign /sha1 "$THUMBPRINT" \
-  /tr "$TIMESTAMP_SERVER" \
-  /td SHA256 /fd SHA256 /v \
-  "$appDir\\"*.exe \
-  "$appDir\\jaunch\\jaunch-windows-"*.exe &&
-
-"$signtool" verify /pa /all \
-  "$appDir\\"*.exe \
-  "$appDir\\jaunch\\jaunch-windows-"*.exe
-
-echo "Signing complete!"
diff --git a/sign/entitlements.plist b/sign/entitlements.plist
new file mode 100644
index 0000000..79f7dbb
--- /dev/null
+++ b/sign/entitlements.plist
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!--
+      Note: This list of entitlements matches those from macOS Java and
+      Python distributions. Without them, many features of the runtimes,
+      or even linking to the runtimes at all, will not function on macOS.
+    -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>