Thank you very much! That sounds like a good plan. Some more minor follow-up questions: Which identifier should I use to sign the libs and command line helper tools in bin? Can it be the same for all? How is this used? We also have a share with examples and a documentation folder. I assume this does not have to be signed, right? What about shell scripts? Is there maybe a good script to sign everything that is signable without entitlements and then only (re-)sign manually if any entitlements are needed (I expect that no entitlements will be necessary, at least in our libs/tools)? Regarding notarization, I guess uploading the pkg and stapling the ticket will be enough? Best, J