diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7140cf1..082f9fb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -100,6 +100,22 @@ jobs:
       - name: Test
         if: matrix.host.testable
         run: make test
+      - name: Import Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        uses: wpilibsuite/import-signing-certificate@v1
+        with:
+          certificate-data: ${{ secrets.APPLE_CERTIFICATE_DATA }}
+          certificate-passphrase: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          keychain-password: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+      - name: Sign toolchain with Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        env:
+          APPLE_DEVELOPER_ID: ${{ secrets.APPLE_DEVELOPER_ID }}
+        run: make sign
       - uses: actions/upload-artifact@v3
         with:
           name: roborio-academic-cortexa9_vfpv3-${{matrix.host.os-cfg}}
@@ -181,6 +197,22 @@ jobs:
       - name: Test
         if: matrix.host.testable
         run: make test
+      - name: Import Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        uses: wpilibsuite/import-signing-certificate@v1
+        with:
+          certificate-data: ${{ secrets.APPLE_CERTIFICATE_DATA }}
+          certificate-passphrase: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          keychain-password: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+      - name: Sign toolchain with Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        env:
+          APPLE_DEVELOPER_ID: ${{ secrets.APPLE_DEVELOPER_ID }}
+        run: make sign
       - uses: actions/upload-artifact@v3
         with:
           name: bullseye-armhf-${{matrix.host.os-cfg}}
@@ -262,6 +294,22 @@ jobs:
       - name: Test
         if: matrix.host.testable
         run: make test
+      - name: Import Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        uses: wpilibsuite/import-signing-certificate@v1
+        with:
+          certificate-data: ${{ secrets.APPLE_CERTIFICATE_DATA }}
+          certificate-passphrase: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          keychain-password: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+      - name: Sign toolchain with Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        env:
+          APPLE_DEVELOPER_ID: ${{ secrets.APPLE_DEVELOPER_ID }}
+        run: make sign
       - uses: actions/upload-artifact@v3
         with:
           name: bullseye-arm64-${{matrix.host.os-cfg}}
@@ -349,6 +397,22 @@ jobs:
       - name: Test
         if: matrix.host.testable
         run: make test
+      - name: Import Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        uses: wpilibsuite/import-signing-certificate@v1
+        with:
+          certificate-data: ${{ secrets.APPLE_CERTIFICATE_DATA }}
+          certificate-passphrase: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          keychain-password: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+      - name: Sign toolchain with Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        env:
+          APPLE_DEVELOPER_ID: ${{ secrets.APPLE_DEVELOPER_ID }}
+        run: make sign
       - uses: actions/upload-artifact@v3
         with:
           name: raspi-bullseye-armhf-${{matrix.host.os-cfg}}
diff --git a/.github/workflows/ci.yml.jinja b/.github/workflows/ci.yml.jinja
index 105c137..fbdeec8 100644
--- a/.github/workflows/ci.yml.jinja
+++ b/.github/workflows/ci.yml.jinja
@@ -112,6 +112,22 @@ jobs:
       - name: Test
         if: matrix.host.testable
         run: make test
+      - name: Import Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        uses: wpilibsuite/import-signing-certificate@v1
+        with:
+          certificate-data: ${{ '{{' }} secrets.APPLE_CERTIFICATE_DATA }}
+          certificate-passphrase: ${{ '{{' }} secrets.APPLE_CERTIFICATE_PASSWORD }}
+          keychain-password: ${{ '{{' }} secrets.APPLE_KEYCHAIN_PASSWORD }}
+      - name: Sign toolchain with Apple Developer ID Certificate
+        if: contains(matrix.host.os-cfg, 'macos') &&
+          github.repository_owner == 'wpilibsuite' &&
+          startsWith(github.ref, 'refs/tags/v')
+        env:
+          APPLE_DEVELOPER_ID: ${{ '{{' }} secrets.APPLE_DEVELOPER_ID }}
+        run: make sign
       - uses: actions/upload-artifact@v3
         with:
           name: {{ target.os }}-{{ target.port }}-${{ '{{' }}matrix.host.os-cfg}}