diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 24b39d3..938e352 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,15 +21,19 @@ jobs:
 
     - name: Install the Apple certificate and provisioning profile
       env:
+        APP_STORE_ISSUER_ID: ${{ secrets.APP_STORE_ISSUER_ID }}
+        APP_STORE_KEY_ID: ${{ secrets.APP_STORE_KEY_ID }}
+        APP_STORE_KEY_P8: ${{ secrets.APP_STORE_KEY_P8 }}
         BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
-        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
-        BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
         KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+
       run: |
         # create variables
         CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
         PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
         KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+        APP_STORE_KEY_PATH=$RUNNER_TEMP/key.p8
 
         # import certificate profile from secrets
         echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
@@ -43,13 +47,15 @@ jobs:
         security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
         security list-keychain -d user -s $KEYCHAIN_PATH
 
+        # import app store connect API key
+        echo -n "${APP_STORE_KEY_P8}" >${APP_STORE_KEY_PATH}
+        xcrun notarytool store-credentials -k "${APP_STORE_KEY_PATH}" -d "${APP_STORE_KEY_ID}" -i "${APP_STORE_ISSUER_ID}" --keychain "${KEYCHAIN_PATH}" --no-validate "App Store Connect - Notarization API Key"
+        rm "${APP_STORE_KEY_PATH}"
+
     - name: Build code
       run: make release
 
-    - name: Run check
-      run: make check
-
-    - name: Build ZIP
+    - name: Build and notarize distribution
       run: |
         make dist
         (cd build && echo "DIST=$(echo *.zip)" >>$GITHUB_ENV)
@@ -63,6 +69,7 @@ jobs:
       if: ${{ always() }}
       run: |
         security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+        rm -f $RUNNER_TEMP/key.p8
 
   publish_release:
     permissions:
diff --git a/CHANGES b/CHANGES
index 278ee80..6dcfbc5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+0.2-1 | 2024-02-09 22:13:36 +0100
+
+  * Notarize distribution.
+
 0.2 | 2024-02-03 22:24:03 +0100
 
   * Implement printing.
diff --git a/Makefile b/Makefile
index d658135..7ec5ac8 100644
--- a/Makefile
+++ b/Makefile
@@ -1,21 +1,29 @@
 
 VERSION=$(shell cat VERSION)
+NOTARIZATION_PROFILE="App Store Connect - Notarization API Key"
 
 all: adhoc
 
 adhoc:
-	@xcodebuild -quiet -target qlview-adhoc -configuration Release
+	xcodebuild -quiet -target qlview-adhoc -configuration Release
 
 release:
-	@xcodebuild -quiet -target qlview-signed -configuration Release
-
-check: release
+	xcodebuild -quiet -target qlview-signed -configuration Release
 	codesign --verify --verbose build/Release/qlview
-	spctl --assess --verbose build/Release/qlview
 
-dist: release
-	@rm -rf build/dist
-	@mkdir -p build/dist
+check:
+
+zip:
+	rm -rf build/dist
+	mkdir -p build/dist
 	cp -R build/Release/qlview build/dist
 	cd build/dist && zip -r ../qlview-$(VERSION).zip *
-	@ls build/*.zip
+	ls build/*.zip | sed 's/^/> /'
+
+notarize:
+	xcrun notarytool submit --keychain-profile $(NOTARIZATION_PROFILE) --wait --timeout 10m build/qlview-$(VERSION).zip
+
+dist: zip notarize
+
+clean:
+	rm -rf build
diff --git a/README.md b/README.md
index cc7b352..63dcf15 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ quick command-line viewer for terminal applications, like
 ## Installation
 
 You currently need to build it yourself. Assuming you have Xcode
-installed, either use it to open the project, or run `make release`
+installed, either use it to open the project, or run `make`
 from the command line. You will then find an executable in
 `build/Release/qlview`.
 
diff --git a/VERSION b/VERSION
index 3b04cfb..bf5d6e0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.2
+0.2-1
diff --git a/qlview.xcodeproj/project.pbxproj b/qlview.xcodeproj/project.pbxproj
index c7598b1..bf6587d 100644
--- a/qlview.xcodeproj/project.pbxproj
+++ b/qlview.xcodeproj/project.pbxproj
@@ -203,13 +203,16 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = YES;
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO;
-				CODE_SIGN_STYLE = Automatic;
-				DEVELOPMENT_TEAM = 4UJK727T59;
+				CODE_SIGN_STYLE = Manual;
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = 4UJK727T59;
 				ENABLE_HARDENED_RUNTIME = YES;
 				OTHER_CODE_SIGN_FLAGS = "--timestamp";
 				"PRODUCT_BUNDLE_IDENTIFIER[sdk=macosx*]" = org.rsmmr.qlview;
 				PRODUCT_NAME = qlview;
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 				SWIFT_VERSION = 5.0;
 			};
@@ -219,13 +222,16 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = YES;
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO;
-				CODE_SIGN_STYLE = Automatic;
-				DEVELOPMENT_TEAM = 4UJK727T59;
+				CODE_SIGN_STYLE = Manual;
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = 4UJK727T59;
 				ENABLE_HARDENED_RUNTIME = YES;
 				OTHER_CODE_SIGN_FLAGS = "--timestamp";
 				"PRODUCT_BUNDLE_IDENTIFIER[sdk=macosx*]" = org.rsmmr.qlview;
 				PRODUCT_NAME = qlview;
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_VERSION = 5.0;
 			};
 			name = Release;
diff --git a/qlview/Info.plist b/qlview/Info.plist
index 3f1d8a7..a7c72e5 100644
--- a/qlview/Info.plist
+++ b/qlview/Info.plist
@@ -11,6 +11,6 @@
 	<key>CFBundleName</key>
 	<string>qlview</string>
 	<key>CFBundleVersion</key>
-	<string>0.2</string>
+	<string>0.2-1</string>
 </dict>
 </plist>