diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 79b6528..6768051 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -37,3 +37,7 @@ jobs:
       chocolatey-api-key: ${{ secrets.CHOCOLATEY_API_KEY }}
       winget-token: ${{ secrets.WINGET_GITHUB_TOKEN }}
       linux-dispatch-token: ${{ secrets.LINUX_PACKAGES_DISPATCH_TOKEN }}
+      macos-cert-p12: ${{ secrets.MACOS_CERT_P12 }}
+      macos-cert-password: ${{ secrets.MACOS_CERT_PASSWORD }}
+      macos-cert-cn: ${{ secrets.MACOS_CERT_CN }}
+      macos-cert-leaf-sha: ${{ secrets.MACOS_CERT_LEAF_SHA }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 0e32f76..bdb8ace 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -41,6 +41,13 @@ builds:
       - -X github.com/open-cli-collective/newrelic-cli/internal/version.Version={{.Version}}
       - -X github.com/open-cli-collective/newrelic-cli/internal/version.Commit={{.Commit}}
       - -X github.com/open-cli-collective/newrelic-cli/internal/version.BuildDate={{.Date}}
+    # macOS code-signing — stable DR so Keychain "Always Allow" survives brew upgrade
+    # (cli-common distribution.md §2A). Logic + identity live in open-cli-collective/.github
+    # (macos-codesign-setup), which exports CODESIGN_DARWIN_SCRIPT (absolute). Unset in
+    # local builds → signing skipped.
+    hooks:
+      post:
+        - cmd: bash -c 'f="${CODESIGN_DARWIN_SCRIPT:-}"; if [ -z "$f" ]; then echo "skip codesign (CODESIGN_DARWIN_SCRIPT unset, local build)"; exit 0; fi; [ -x "$f" ] || { echo "CODESIGN_DARWIN_SCRIPT not executable ($f)" >&2; exit 1; }; exec "$f" "$0" "$1"' "{{ .Path }}" "{{ .Os }}"
   - id: nrq-unix-win
     main: ./cmd/nrq
     binary: nrq
diff --git a/version.txt b/version.txt
index d3827e7..9459d4b 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.0
+1.1