diff --git a/.github/workflows/mac_codesign.yml b/.github/workflows/mac_codesign.yml
index 983721794..1cfdd9027 100644
--- a/.github/workflows/mac_codesign.yml
+++ b/.github/workflows/mac_codesign.yml
@@ -4,19 +4,23 @@ on:
   workflow_dispatch: # Enables manual trigger from GitHub UI
 
 jobs:
-  code-signing:
+  build-and-code-sign:
     runs-on: macos-latest
     environment: macos-codesign
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@1.70
+        with:
+          components: apple-codesign
       - name: build
         run: |
-          ./build_tools/make_pkg.sh
-      - name: Execute Code Signing Script
-        run: ./mac_codesign.sh
+          echo "$MAC_CODESIGN_APP_P12_BASE64" | base64 --decode > /tmp/app.p12
+          echo "$MAC_CODESIGN_INSTALLER_P12_BASE64" | base64 --decode > /tmp/installer.p12
+          ./build_tools/make_pkg.sh -s -f /tmp/app.p12 -i /tmp/installer.p12 -p "$MAC_CODESIGN_PASSWORD"
+          rm /tmp/installer.p12 /tmp/app.p12
         env:
-          MAC_CODESIGN_P12_BASE64: ${{ secrets.MAC_CODESIGN_P12_BASE64 }}
+          MAC_CODESIGN_APP_P12_BASE64: ${{ secrets.MAC_CODESIGN_APP_P12_BASE64 }}
+          MAC_CODESIGN_INSTALLER_P12_BASE64: ${{ secrets.MAC_CODESIGN_INSTALLER_P12_BASE64 }}
           MAC_CODESIGN_PASSWORD: ${{ secrets.MAC_CODESIGN_PASSWORD }}
           # macOS runners keep having issues loading Cargo.toml dependencies from git (GitHub) instead
           # of crates.io, so give this a try. It's also sometimes significantly faster on all platforms.
diff --git a/build_tools/make_pkg.sh b/build_tools/make_pkg.sh
index e0ed7c3b9..46ca44edd 100755
--- a/build_tools/make_pkg.sh
+++ b/build_tools/make_pkg.sh
@@ -3,7 +3,7 @@
 # Script to produce an OS X installer .pkg and .app(.zip)
 
 usage() {
-  echo "Usage: $0 [-s] -f <p12 file> -p <p12 password> [-e <entitlements file>]"
+  echo "Usage: $0 [-s] -f <application p12 file> -i <installer p12 file> -p <p12 password> [-e <entitlements file>]"
   exit 1
 }
 
@@ -12,17 +12,18 @@ set -e
 
 SIGN=
 
-while getopts "sf:p:e:" opt; do
+while getopts "sf:i:p:e:" opt; do
   case $opt in
     s) SIGN=1;;
-    f) P12_FILE=$(realpath "$OPTARG");;
+    f) P12_APP_FILE=$(realpath "$OPTARG");;
+    i) P12_INSTALL_FILE=$(realpath "$OPTARG");;
     p) P12_PASSWORD="$OPTARG";;
     e) ENTITLEMENTS_FILE=$(realpath "$OPTARG");;
     \?) usage;;
   esac
 done
 
-if [ -n "$SIGN" ] && ([ -z "$P12_FILE" ] || [ -z "$P12_PASSWORD" ]); then
+if [ -n "$SIGN" ] && ([ -z "$P12_APP_FILE" ] || [-z "$P12_INSTALL_FILE"] || [ -z "$P12_PASSWORD" ]); then
   usage
 fi
 
@@ -37,7 +38,6 @@ fi
 
 echo "Version is $VERSION"
 
-
 PKGDIR=$(mktemp -d)
 echo "$PKGDIR"
 
@@ -51,9 +51,9 @@ mkdir -p "$PKGDIR/build" "$PKGDIR/root" "$PKGDIR/intermediates" "$PKGDIR/dst"
 { cd "$PKGDIR/build" && cmake -DMAC_INJECT_GET_TASK_ALLOW=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_EXE_LINKER_FLAGS="-Wl,-ld_classic" -DWITH_GETTEXT=OFF -DFISH_USE_SYSTEM_PCRE2=OFF -DCMAKE_OSX_ARCHITECTURES='arm64;x86_64' "$SRC_DIR" && make VERBOSE=1 -j 12 && env DESTDIR="$PKGDIR/root/" make install; }
 
 if test -n "$SIGN"; then
-    echo "Signing"
+    echo "Signing executables"
     ARGS=(
-        --p12-file "$P12_FILE"
+        --p12-file "$P12_APP_FILE"
         --p12-password "$P12_PASSWORD"
         --code-signature-flags runtime
     )
@@ -61,17 +61,40 @@ if test -n "$SIGN"; then
         ARGS+=(--entitlements-xml-file "$ENTITLEMENTS_FILE")
     fi
     for FILE in "$PKGDIR"/root/usr/local/bin/*; do
-        rcodesign sign "${ARGS[@]}" "$FILE"
+        (set +x; rcodesign sign "${ARGS[@]}" "$FILE")
     done
 fi
 
 pkgbuild --scripts "$SRC_DIR/build_tools/osx_package_scripts" --root "$PKGDIR/root/" --identifier 'com.ridiculousfish.fish-shell-pkg' --version "$VERSION" "$PKGDIR/intermediates/fish.pkg"
 productbuild  --package-path "$PKGDIR/intermediates" --distribution "$SRC_DIR/build_tools/osx_distribution.xml" --resources "$SRC_DIR/build_tools/osx_package_resources/" "$OUTPUT_PATH/fish-$VERSION.pkg"
 
-# MAC_PRODUCTSIGN_ID=${MAC_PRODUCTSIGN_ID:--}
-# productsign --sign "${MAC_PRODUCTSIGN_ID}" "$OUTPUT_PATH/fish-$VERSION.pkg" "$OUTPUT_PATH/fish-$VERSION-signed.pkg" && mv "$OUTPUT_PATH/fish-$VERSION-signed.pkg" "$OUTPUT_PATH/fish-$VERSION.pkg"
+if test -n "$SIGN"; then
+    echo "Signing installer"
+    ARGS=(
+        --p12-file "$P12_INSTALL_FILE"
+        --p12-password "$P12_PASSWORD"
+        --code-signature-flags runtime
+    )
+    (set +x; rcodesign sign "${ARGS[@]}" "$OUTPUT_PATH/fish-$VERSION.pkg")
+fi
 
-# # Make the app
-# { cd "$PKGDIR/build" && make -j 12 signed_fish_macapp && zip -r "$OUTPUT_PATH/fish-$VERSION.app.zip" fish.app; }
+# Make the app
+cd "$PKGDIR/build"
+make -j 12 fish_macapp
+if test -n "$SIGN"; then
+    echo "Signing app"
+    ARGS=(
+        --p12-file "$P12_APP_FILE"
+        --p12-password "$P12_PASSWORD"
+        --code-signature-flags runtime
+    )
+    if [ -n "$ENTITLEMENTS_FILE" ]; then
+        ARGS+=(--entitlements-xml-file "$ENTITLEMENTS_FILE")
+    fi
+    (set +x; rcodesign sign "${ARGS[@]}" "fish.app")
 
-# rm -rf "$PKGDIR"
+fi
+mv "fish.app" "$OUTPUT_PATH/fish-$VERSION.app"
+zip -r "$OUTPUT_PATH/fish-$VERSION.app.zip" "$OUTPUT_PATH/fish-$VERSION.app";
+
+rm -rf "$PKGDIR"