diff --git a/.github/workflows/CreateRelease.yml b/.github/workflows/CreateRelease.yml
index 63bc27f0d..d4b541f3d 100644
--- a/.github/workflows/CreateRelease.yml
+++ b/.github/workflows/CreateRelease.yml
@@ -90,27 +90,7 @@ jobs:
     - name: Deploy
       shell: bash
       run: |
-        bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}' --cert_id=${{ secrets.MACOS_CERT_ID }}
-    - name: Get AppBundle Name
-      if: runner.os == 'macOS'
-      id: abn
-      shell: bash
-      run: |
-        cd install
-        NAME=$(ls -d MeshLab*)
-        echo "app_bundle_name=$NAME" >> $GITHUB_OUTPUT
-    - name: Notarize macOS
-      if: runner.os == 'macOS'
-      uses: devbotsxyz/xcode-notarize@v1
-      with:
-        product-path: "install/${{steps.abn.outputs.app_bundle_name}}"
-        appstore-connect-username: ${{ secrets.MACOS_NOTARIZATION_USER }}
-        appstore-connect-password: ${{ secrets.MACOS_NOTARIZATION_PSSW }}
-    - name: Staple Release macOS
-      if: runner.os == 'macOS'
-      uses: devbotsxyz/xcode-staple@v1
-      with:
-        product-path: "install/${{steps.abn.outputs.app_bundle_name}}"
+        bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}' --cert_id='${{ secrets.MACOS_CERT_ID }}' --notarization_user='${{ secrets.MACOS_NOTARIZATION_USER }}' --notarization_team='${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}' --notarization_pssw='${{ secrets.MACOS_NOTARIZATION_PSSW }}'
     - name: Upload MeshLab Portable
       uses: actions/upload-artifact@v3
       with:
@@ -242,7 +222,7 @@ jobs:
         cd ..
 
     #Create release and upload
-    - uses: "marvinpinto/action-automatic-releases@latest"
+    - uses: "marvinpinto/action-automatic-releases@6273874b61ebc8c71f1a61b2d98e234cf389b303"
       with:
         repo_token: "${{ secrets.GITHUB_TOKEN }}"
         automatic_release_tag: "MeshLab-${{steps.envs.outputs.ml_version}}"
diff --git a/scripts/macOS/2_deploy.sh b/scripts/macOS/2_deploy.sh
index b3a3a791a..f359e86e6 100755
--- a/scripts/macOS/2_deploy.sh
+++ b/scripts/macOS/2_deploy.sh
@@ -6,7 +6,11 @@ INSTALL_PATH=$SCRIPTS_PATH/../../install
 QT_DIR_OPTION=""
 PACKAGES_PATH=$SCRIPTS_PATH/../../packages
 SIGN=false
+NOTARIZE=false
 CERT_ID=""
+NOTAR_USER=""
+NOTAR_TEAM_ID=""
+NOTAR_PASSWORD=""
 
 #checking for parameters
 for i in "$@"
@@ -25,12 +29,27 @@ case $i in
         shift # past argument=value
         ;;
     -ci=*|--cert_id=*)
-        if [ -z "${i#*=}" ]; then
-            SIGN=true
-            CERT_ID="${i#*=}"
+        CERT_ID="${i#*=}"
+        if [ -n "$CERT_ID" ]; then
+          SIGN=true
         fi
         shift # past argument=value
         ;;
+    -nu=*|--notarization_user=*)
+        NOTAR_USER="${i#*=}"
+        if [ -n "$NOTAR_USER" ]; then
+          NOTARIZE=true
+        fi
+        shift # past argument=value
+        ;;
+    -np=*|--notarization_pssw=*)
+        NOTAR_PASSWORD="${i#*=}"
+        shift # past argument=value
+        ;;
+    -nt=*|--notarization_team=*)
+        NOTAR_TEAM_ID="${i#*=}"
+        shift # past argument=value
+        ;;
     *)
         # unknown option
         ;;
@@ -47,6 +66,12 @@ if [ "$SIGN" = true ] ; then
     echo "======= AppBundle Signed ======="
 fi
 
-bash $SCRIPTS_PATH/internal/2c_dmg.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH
+if [ "$NOTARIZE" = true ] ; then
+    bash $SCRIPTS_PATH/internal/2c_notarize_appbundle.sh -i=$INSTALL_PATH -nu=$NOTAR_USER -nt=$NOTAR_TEAM_ID -np=$NOTAR_PASSWORD
+
+    echo "======= AppBundle Notarized ======="
+fi
+
+bash $SCRIPTS_PATH/internal/2d_dmg.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH
 
 echo "======= DMG Created ======="
\ No newline at end of file
diff --git a/scripts/macOS/internal/2b_sign_appbundle.sh b/scripts/macOS/internal/2b_sign_appbundle.sh
index 9837efb8a..268d6c456 100644
--- a/scripts/macOS/internal/2b_sign_appbundle.sh
+++ b/scripts/macOS/internal/2b_sign_appbundle.sh
@@ -23,4 +23,6 @@ case $i in
 esac
 done
 
-codesign --options "runtime" --timestamp --force --deep --sign $CERT_ID $INSTALL_PATH/meshlab.app
\ No newline at end of file
+codesign --options "runtime" --timestamp --force --deep --sign $CERT_ID $INSTALL_PATH/meshlab.app
+
+spctl -a -vvv $INSTALL_PATH/meshlab.app
\ No newline at end of file
diff --git a/scripts/macOS/internal/2c_notarize_appbundle.sh b/scripts/macOS/internal/2c_notarize_appbundle.sh
new file mode 100644
index 000000000..3eb6346ca
--- /dev/null
+++ b/scripts/macOS/internal/2c_notarize_appbundle.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+SCRIPTS_PATH="$(dirname "$(realpath "$0")")"/..
+
+INSTALL_PATH=$SCRIPTS_PATH/../../install
+NOTAR_USER=""
+NOTAR_PASSWORD=""
+NOTAR_TEAM_ID=""
+
+#checking for parameters
+for i in "$@"
+do
+case $i in
+    -i=*|--install_path=*)
+        INSTALL_PATH="${i#*=}"
+        shift # past argument=value
+        ;;
+    -nu=*|--notarization_user=*)
+        NOTAR_USER="${i#*=}"
+        shift # past argument=value
+        ;;
+    -nt=*|--notarization_team=*)
+        NOTAR_TEAM_ID="${i#*=}"
+        shift # past argument=value
+        ;;
+    -np=*|--notarization_pssw=*)
+        NOTAR_PASSWORD="${i#*=}"
+        shift # past argument=value
+        ;;
+    *)
+        # unknown option
+        ;;
+esac
+done
+
+xcrun notarytool store-credentials "notarytool-profile" --apple-id $NOTAR_USER --team-id $NOTAR_TEAM_ID --password $NOTAR_PASSWORD
+
+ditto -c -k --keepParent "$INSTALL_PATH/meshlab.app" "$INSTALL_PATH/notarization.zip"
+
+xcrun notarytool submit "install/notarization.zip" --keychain-profile "notarytool-profile" --wait
+
+xcrun stapler staple "$INSTALL_PATH/meshlab.app"
+
+rm -rf $INSTALL_PATH/notarization.zip
\ No newline at end of file
diff --git a/scripts/macOS/internal/2c_dmg.sh b/scripts/macOS/internal/2d_dmg.sh
similarity index 100%
rename from scripts/macOS/internal/2c_dmg.sh
rename to scripts/macOS/internal/2d_dmg.sh