diff --git a/.circleci/config.yml b/.circleci/config.yml
index b067c58ec..a03523696 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -41,6 +41,8 @@ jobs:
             openssl aes-256-cbc -md md5 -d -in ./resources/secrets/config.json.enc -out ./config.json -k ${SECRETS_ENCRYPTION_KEY}
       - *npm_restore_cache
       - run: npm ci
+      - run: patch -p1 < ./resources/macos/macPackager-patch.diff
+      - run: patch -p1 < ./resources/macos/scheme-patch.diff
       - run: make build
       - run: make test
       - persist_to_workspace:
@@ -58,6 +60,8 @@ jobs:
       - *npm_restore_cache
       - *install_linux_deps
       - run: npm ci
+      - run: patch -p1 < ./resources/macos/macPackager-patch.diff
+      - run: patch -p1 < ./resources/macos/scheme-patch.diff
       - *npm_save_cache
       - run: make package-linux SKIP_BUILD=true
       - run:
@@ -73,7 +77,7 @@ jobs:
 
   mac:
     macos:
-      xcode: '9.4.1'
+      xcode: '10.0.0'
     shell: /bin/bash --login
     working_directory: /Users/distiller/simplenote
     steps:
@@ -82,6 +86,8 @@ jobs:
           at: /Users/distiller/simplenote
       - *npm_restore_cache
       - run: npm ci
+      - run: patch -p1 < ./resources/macos/macPackager-patch.diff
+      - run: patch -p1 < ./resources/macos/scheme-patch.diff
       - *npm_save_cache
       - run:
           name: Build Mac
diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index fb35280bc..15d902a9a 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -11,6 +11,11 @@
 ### Fixes
 
  - Rework WordPress.com signin to prevent infinite looping and login failures [#1627](https://github.com/Automattic/simplenote-electron/pull/1627)
+
+## [v1.9.1]
+
+### Fixes
+
  - Prevent ulimited duplication of changes after signing out and signing in [#1664](https://github.com/Automattic/simplenote-electron/pull/1664)
 
 ## [v1.9.0]
diff --git a/after_sign_hook.js b/after_sign_hook.js
new file mode 100644
index 000000000..542259b2c
--- /dev/null
+++ b/after_sign_hook.js
@@ -0,0 +1,46 @@
+const fs = require('fs');
+const path = require('path');
+var electron_notarize = require('electron-notarize');
+
+module.exports = async function(params) {
+  // Only notarize the app on Mac OS only.
+  if (process.platform !== 'darwin') {
+    return;
+  }
+  console.log('afterSign hook triggered', params);
+
+  if (!process.env.CIRCLE_TAG || process.env.CIRCLE_TAG.length === 0) {
+    console.log('Not on a tag. Skipping notarization');
+    return;
+  }
+
+  // Same appId in electron-builder.
+  let appId = 'com.automattic.simplenote';
+
+  let appPath = params.appOutDir
+    ? path.join(
+        params.appOutDir,
+        `${params.packager.appInfo.productFilename}.app`
+      )
+    : params.artifactPaths[0].replace(new RegExp('.blockmap'), '');
+
+  if (!fs.existsSync(appPath)) {
+    throw new Error(`Cannot find application at: ${appPath}`);
+  }
+
+  console.log(`Notarizing ${appId} found at ${appPath}`);
+
+  try {
+    await electron_notarize.notarize({
+      appBundleId: appId,
+      appPath: appPath,
+      appleId: process.env.NOTARIZATION_ID,
+      appleIdPassword: process.env.NOTARIZATION_PWD,
+      ascProvider: 'AutomatticInc',
+    });
+  } catch (error) {
+    console.error(error);
+  }
+
+  console.log(`Done notarizing ${appId}`);
+};
diff --git a/appveyor.yml b/appveyor.yml
index 81b5e78f5..084bd9b7e 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -20,6 +20,8 @@ install:
   - ps: Install-Product node 10
   - cinst make
   - npm ci
+  - patch -p1 < ./resources/macos/macPackager-patch.diff
+  - patch -p1 < ./resources/macos/scheme-patch.diff
 
 for:
   # default build / .exe / signed
diff --git a/electron-builder.json b/electron-builder.json
index 247ff15f6..1b8880b03 100644
--- a/electron-builder.json
+++ b/electron-builder.json
@@ -13,7 +13,10 @@
   "mac": {
     "icon": "./resources/images/app-icon.icns",
     "category": "public.app-category.social-networking",
-    "artifactName": "Simplenote-macOS-${version}.${ext}"
+    "artifactName": "Simplenote-macOS-${version}.${ext}",
+    "entitlements": "./resources/macos/entitlements.mac.plist",
+    "entitlementsInherit": "./resources/macos/entitlements.mac.inherit.plist",
+    "hardenedRuntime": true
   },
   "dmg": {
     "title": "Simplenote Installer",
@@ -100,5 +103,7 @@
   },
   "deb": {
     "depends": ["gconf2"]
-  }
+  },
+  "afterSign": "./after_sign_hook.js",
+  "afterAllArtifactBuild": "./after_sign_hook.js"
 }
diff --git a/package-lock.json b/package-lock.json
index 7fd776593..a1671330b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "simplenote",
-  "version": "1.8.0-beta1",
+  "version": "1.9.1",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -2308,9 +2308,9 @@
           }
         },
         "semver": {
-          "version": "5.7.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz",
-          "integrity": "sha512-Ya52jSX2u7QKghxeoFGpLwCtGlt7j0oY9DYb5apt9nPlJ42ID+ulTXESnt/qAQcoSERyZ5sl3LDIOw0nAn/5DA==",
+          "version": "5.7.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
           "dev": true
         }
       }
@@ -3299,9 +3299,9 @@
           }
         },
         "semver": {
-          "version": "5.7.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz",
-          "integrity": "sha512-Ya52jSX2u7QKghxeoFGpLwCtGlt7j0oY9DYb5apt9nPlJ42ID+ulTXESnt/qAQcoSERyZ5sl3LDIOw0nAn/5DA==",
+          "version": "5.7.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
           "dev": true
         }
       }
@@ -5012,9 +5012,9 @@
       "dev": true
     },
     "ejs": {
-      "version": "2.6.2",
-      "resolved": "https://registry.npmjs.org/ejs/-/ejs-2.6.2.tgz",
-      "integrity": "sha512-PcW2a0tyTuPHz3tWyYqtK6r1fZ3gp+3Sop8Ph+ZYN81Ob5rwmbHEzaqs10N3BEsaGTkh/ooniXK+WwszGlc2+Q==",
+      "version": "2.7.1",
+      "resolved": "https://registry.npmjs.org/ejs/-/ejs-2.7.1.tgz",
+      "integrity": "sha512-kS/gEPzZs3Y1rRsbGX4UOSjtP/CeJP0CxSNZHYxGfVM/VgLcv0ZqM7C45YyTj2DI2g7+P9Dd24C+IMIg6D0nYQ==",
       "dev": true
     },
     "electron": {
@@ -5167,9 +5167,9 @@
           }
         },
         "p-limit": {
-          "version": "2.2.0",
-          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.0.tgz",
-          "integrity": "sha512-pZbTJpoUsCzV48Mc9Nh51VbwO0X9cuPFE8gYwx9BTCt9SF8/b7Zljd2fVgOxhIF/HDTKgpVzs+GPhyKfjLLFRQ==",
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.1.tgz",
+          "integrity": "sha512-85Tk+90UCVWvbDavCLKPOLC9vvY8OwEX/RtKF+/1OADJMVlFfEHOiMTPVyxg7mk/dKa+ipdHm0OUkTvCpMTuwg==",
           "dev": true,
           "requires": {
             "p-try": "^2.0.0"
@@ -5201,9 +5201,9 @@
           }
         },
         "semver": {
-          "version": "5.7.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz",
-          "integrity": "sha512-Ya52jSX2u7QKghxeoFGpLwCtGlt7j0oY9DYb5apt9nPlJ42ID+ulTXESnt/qAQcoSERyZ5sl3LDIOw0nAn/5DA==",
+          "version": "5.7.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
           "dev": true
         },
         "yargs": {
@@ -5303,6 +5303,16 @@
         "encoding": "^0.1.12"
       }
     },
+    "electron-notarize": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/electron-notarize/-/electron-notarize-0.1.1.tgz",
+      "integrity": "sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg==",
+      "dev": true,
+      "requires": {
+        "debug": "^4.1.1",
+        "fs-extra": "^8.0.1"
+      }
+    },
     "electron-osx-sign": {
       "version": "0.4.11",
       "resolved": "https://registry.npmjs.org/electron-osx-sign/-/electron-osx-sign-0.4.11.tgz",
@@ -8772,9 +8782,9 @@
       }
     },
     "is-retry-allowed": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/is-retry-allowed/-/is-retry-allowed-1.1.0.tgz",
-      "integrity": "sha1-EaBgVotnM5REAz0BJaYaINVk+zQ=",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/is-retry-allowed/-/is-retry-allowed-1.2.0.tgz",
+      "integrity": "sha512-RUbUeKwvm3XG2VYamhJL1xFktgjvPzL0Hq8C+6yrWIswDy3BIXGqCxhxkc30N9jqK311gVU137K8Ei55/zVJRg==",
       "dev": true
     },
     "is-stream": {
@@ -11584,9 +11594,9 @@
       },
       "dependencies": {
         "semver": {
-          "version": "5.7.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz",
-          "integrity": "sha512-Ya52jSX2u7QKghxeoFGpLwCtGlt7j0oY9DYb5apt9nPlJ42ID+ulTXESnt/qAQcoSERyZ5sl3LDIOw0nAn/5DA==",
+          "version": "5.7.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
           "dev": true
         }
       }
@@ -13502,9 +13512,9 @@
       },
       "dependencies": {
         "semver": {
-          "version": "5.7.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz",
-          "integrity": "sha512-Ya52jSX2u7QKghxeoFGpLwCtGlt7j0oY9DYb5apt9nPlJ42ID+ulTXESnt/qAQcoSERyZ5sl3LDIOw0nAn/5DA==",
+          "version": "5.7.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+          "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
           "dev": true
         }
       }
diff --git a/package.json b/package.json
index 1c484a1e5..223a858c4 100644
--- a/package.json
+++ b/package.json
@@ -6,7 +6,7 @@
     "email": "support@simplenote.com"
   },
   "productName": "Simplenote",
-  "version": "1.8.0-beta1",
+  "version": "1.9.1",
   "main": "desktop/index.js",
   "license": "GPL-2.0",
   "homepage": "https://simplenote.com",
@@ -55,6 +55,7 @@
     "debug": "4.1.1",
     "electron": "4.2.11",
     "electron-builder": "20.32.0",
+    "electron-notarize": "^0.1.1",
     "electron-rebuild": "1.8.6",
     "enzyme": "3.10.0",
     "enzyme-adapter-react-16": "1.14.0",
diff --git a/resources/macos/entitlements.mac.inherit.plist b/resources/macos/entitlements.mac.inherit.plist
new file mode 100644
index 000000000..f9350a039
--- /dev/null
+++ b/resources/macos/entitlements.mac.inherit.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+    </dict>
+</plist>
diff --git a/resources/macos/entitlements.mac.plist b/resources/macos/entitlements.mac.plist
new file mode 100644
index 000000000..f9350a039
--- /dev/null
+++ b/resources/macos/entitlements.mac.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+    </dict>
+</plist>
diff --git a/resources/macos/macPackager-patch.diff b/resources/macos/macPackager-patch.diff
new file mode 100644
index 000000000..6788ca276
--- /dev/null
+++ b/resources/macos/macPackager-patch.diff
@@ -0,0 +1,22 @@
+--- ./node_modules/app-builder-lib/out/macPackager.js	1985-10-26 09:15:00.000000000 +0100
++++ ./node_modules/app-builder-lib/new/macPackager.js	2019-10-14 12:50:02.000000000 +0200
+@@ -315,7 +315,8 @@
+         keychain: keychainName || undefined,
+         binaries: (isMas && masOptions != null ? masOptions.binaries : macOptions.binaries) || undefined,
+         requirements: isMas || macOptions.requirements == null ? undefined : yield _this3.getResource(macOptions.requirements),
+-        "gatekeeper-assess": _codeSign().appleCertificatePrefixes.find(it => identity.name.startsWith(it)) != null
++        "gatekeeper-assess": _codeSign().appleCertificatePrefixes.find(it => identity.name.startsWith(it)) != null,
++        "hardened-runtime": macOptions.hardenedRuntime
+       };
+       yield _this3.adjustSignOptions(signOptions, masOptions);
+ 
+@@ -471,6 +472,6 @@
+   }
+ 
+   return isMas ? "3rd Party Mac Developer Application" : "Developer ID Application";
+-} 
++}
+ // __ts-babel@6.0.4
+-//# sourceMappingURL=macPackager.js.map
+\ No newline at end of file
++//# sourceMappingURL=macPackager.js.map
diff --git a/resources/macos/scheme-patch.diff b/resources/macos/scheme-patch.diff
new file mode 100644
index 000000000..476d3f69e
--- /dev/null
+++ b/resources/macos/scheme-patch.diff
@@ -0,0 +1,14 @@
+--- ./node_modules/app-builder-lib/scheme.json	1985-10-26 09:15:00.000000000 +0100
++++ ./node_modules/app-builder-new/scheme.json	2019-10-14 12:54:44.000000000 +0200
+@@ -1819,6 +1819,11 @@
+                     "description": "Whether to infer update channel from application version pre-release components. e.g. if version `0.12.1-alpha.1`, channel will be set to `alpha`. Otherwise to `latest`.",
+                     "type": "boolean"
+                 },
++                "hardenedRuntime": {
++                    "default": false,
++                    "description": "Whether your app has to be signed with hardened runtime.",
++                    "type": "boolean"
++                },
+                 "electronLanguages": {
+                     "anyOf": [
+                         {