diff --git a/build/build.sh b/build/build.sh
index a0d9b41..82e50b2 100644
--- a/build/build.sh
+++ b/build/build.sh
@@ -45,6 +45,8 @@ build_darwin () {
     echo "build launcher ..."
     brew install gcc
     gcc src/calm.c -o calm
+    # codesign for macos-14 enhanced security
+    codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime calm
 
     echo "remove Windows fonts dir ..."
     sed '/<dir>C:\\Windows\\Fonts<\/dir>/d' s/usr/all/fonts.conf > tmp-fonts.conf
diff --git a/s/dev/darwin/config-lib.sh b/s/dev/darwin/config-lib.sh
index e5e4cb7..c113f09 100644
--- a/s/dev/darwin/config-lib.sh
+++ b/s/dev/darwin/config-lib.sh
@@ -65,5 +65,6 @@ ls -lah .
 # copy all typelibs
 cp -L -R $(brew --prefix)/lib/girepository-1.0/*.typelib ./
 
-# codesign for macos-14, since we changed those libs
+# codesign for macos-14 enhanced security
 ls *.dylib | xargs -I _ codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime _
+ls *.typelib | xargs -I _ sudo codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime _
diff --git a/s/usr/macos/bundle.lisp b/s/usr/macos/bundle.lisp
index 10a84d9..bafe1a4 100644
--- a/s/usr/macos/bundle.lisp
+++ b/s/usr/macos/bundle.lisp
@@ -13,7 +13,8 @@
          (dist-dir-abs (or (uiop:absolute-pathname-p dist-dir)
                            (uiop:merge-pathnames* dist-dir *calm-env-app-dir*)))
          (app-icon-abs (or (uiop:absolute-pathname-p app-icon)
-                           (uiop:merge-pathnames* app-icon *calm-env-app-dir*))))
+                           (uiop:merge-pathnames* app-icon *calm-env-app-dir*)))
+         (codesign-cmd "codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime "))
 
     ;; clean old bunlde
     (uiop:delete-directory-tree app-dir :validate t :if-does-not-exist :ignore)
@@ -38,7 +39,17 @@
      dist-dir-abs
      app-macos-dir)
     ;; copy icon
-    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir)))
+    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir))
+
+    (u:calm-log "signing everything... (some files need sudo permission)")
+    (u:exec (str:concat "find " app-name ".app/Contents/MacOS/ -type f | xargs -I _ sudo " codesign-cmd " _")
+            :ignore-error-status t)
+    (u:calm-log "signing calm launcher...")
+    (u:exec (str:concat "sudo " codesign-cmd app-name ".app/Contents/MacOS/calm")
+            :ignore-error-status t)
+    (u:calm-log "signing the application bundle itself...")
+    (u:exec (str:concat "sudo " codesign-cmd app-name ".app")
+            :ignore-error-status t))
 
   (u:calm-log-fancy "~%Application Bundle created: ~A.app~%" app-name))