I am using CPACK/IFW to generate a .dmg disk image installer on macOS. This disk image contains a self-extracting binary. In order to run binaries, they need (a) to be signed and (b) notarised by Apple to avoid scary popups by gatekeeper. I can sign my own binaries inside the installer prior to packing, and the .dmg itself after "make package" finishes. But not the generated installer binary. That said, signing is a major prerequisite for notarisation. The QtIFW binarytool has the option > -s|--sign identity Sign generated app bundle using the given code signing identity where _identity_ should probably be the same as used for "codesign" on macOS. Unfortunately, cpack does not seem to support this yet. At least there's nothing obvious in the manual [1]. [1] https://cmake.org/cmake/help/latest/cpack_gen/ifw.html