diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 33a662c..d71dd1a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,3 +36,7 @@ jobs:
       chocolatey-api-key: ${{ secrets.CHOCOLATEY_API_KEY }}
       winget-token: ${{ secrets.WINGET_GITHUB_TOKEN }}
       linux-dispatch-token: ${{ secrets.LINUX_PACKAGES_DISPATCH_TOKEN }}
+      macos-cert-p12: ${{ secrets.MACOS_CERT_P12 }}
+      macos-cert-password: ${{ secrets.MACOS_CERT_PASSWORD }}
+      macos-cert-cn: ${{ secrets.MACOS_CERT_CN }}
+      macos-cert-leaf-sha: ${{ secrets.MACOS_CERT_LEAF_SHA }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index ec74aa6..d74cf45 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -42,6 +42,13 @@ builds:
       - -X github.com/open-cli-collective/google-readonly/internal/version.Version={{.Version}}
       - -X github.com/open-cli-collective/google-readonly/internal/version.Commit={{.Commit}}
       - -X github.com/open-cli-collective/google-readonly/internal/version.Date={{.Date}}
+    # macOS code-signing — stable DR so Keychain "Always Allow" survives brew upgrade
+    # (cli-common distribution.md §2A). Logic + identity live in open-cli-collective/.github
+    # (macos-codesign-setup), which exports CODESIGN_DARWIN_SCRIPT (absolute). Unset in
+    # local builds → signing skipped.
+    hooks:
+      post:
+        - cmd: bash -c 'f="${CODESIGN_DARWIN_SCRIPT:-}"; if [ -z "$f" ]; then echo "skip codesign (CODESIGN_DARWIN_SCRIPT unset, local build)"; exit 0; fi; [ -x "$f" ] || { echo "CODESIGN_DARWIN_SCRIPT not executable ($f)" >&2; exit 1; }; exec "$f" "$0" "$1"' "{{ .Path }}" "{{ .Os }}"
   - id: gro-unix-win
     main: ./cmd/gro
     binary: gro
@@ -94,7 +101,8 @@ nfpms:
       - src: LICENSE
         dst: /usr/share/licenses/google-readonly/LICENSE
 
-# Canonical Homebrew cask with auto-quarantine removal for unsigned binaries.
+# Canonical Homebrew cask with auto-quarantine removal for non-notarized binaries
+# (the darwin binary is code-signed per cli-common distribution.md §2A, not notarized).
 # skip_upload: true → goreleaser RENDERS the cask into dist/ but does NOT push
 # it; the reusable release workflow's homebrew step is the single atomic tap
 # writer. No `token:` here — the tap token belongs only to that writer, and
diff --git a/version.txt b/version.txt
index d3827e7..9459d4b 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.0
+1.1