diff --git a/src/Tools/entitlements.plist b/src/Tools/entitlements.plist
new file mode 100644
index 0000000000..8cc185af8d
--- /dev/null
+++ b/src/Tools/entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>
diff --git a/src/Tools/macos_sign_and_notarize.sh b/src/Tools/macos_sign_and_notarize.sh
index ed9b50cc41..77ee2d6028 100644
--- a/src/Tools/macos_sign_and_notarize.sh
+++ b/src/Tools/macos_sign_and_notarize.sh
@@ -17,62 +17,46 @@
 # script.
 
 # CONFIGURATION OPTIONS
-CONTAINING_FOLDER="FreeCAD-0.21-RC1-x86" # Must contain FreeCAD.app and nothing else
-ARCH="intel_x86" # intel_x86 or arm64
+CONTAINING_FOLDER="FreeCAD_0.21.1_arm64" # Must contain FreeCAD.app and nothing else
+ARCH="arm64" # intel_x86 or arm64
 VERSION_MAJOR="0"
 VERSION_MINOR="21"
-VERSION_PATCH="0"
-VERSION_SUFFIX="RC1" # e.g. alpha, beta, RC1, RC2, release
+VERSION_PATCH="1"
+VERSION_SUFFIX="" # e.g. alpha, beta, RC1, RC2, release
 
+function run_codesign {
+    echo "Signing $1"
+    codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp --entitlements entitlements.plist $1
+}
 
-# Sign all library files
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp `find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.dylib"`
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp `find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.so"`
+IFS=$'\n'
+dylibs=($(find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.dylib"))
+shared_objects=($(find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.so"))
+executables=($(file `find . -type f -perm +111 -print` | grep "Mach-O 64-bit executable" | sed 's/:.*//g'))
+IFS=$' \t\n' # The default
+
+signed_files=("${dylibs[@]}" "${shared_objects[@]}" "${executables[@]}")
 
 # This list of files is generated from:
-# file `find . -type f -perm +111 -print` | grep "Mach-O 64-bit executable"
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/freecadcmd
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/python
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/ccx
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/freecad
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/QtWebEngineProcess
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/gstreamer-1.0/gst-hotdoc-plugins-scanner
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/gstreamer-1.0/gst-plugin-scanner
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/gstreamer-1.0/gst-ptp-helper
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/p11-kit/p11-kit-server
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/p11-kit/p11-kit-remote
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kproplog
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/krb5kdc
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/gss-server
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/sserver
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kprop
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kadmin.local
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kdb5_util
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kpropd
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/sim_server
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kadmind
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/uuserver
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/pgxs/src/test/regress/pg_regress
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/pgxs/src/test/isolation/isolationtester
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/pgxs/src/test/isolation/pg_isolation_regress
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/gettext/urlget
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/gettext/hostname
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/gettext/cldr-plurals
+# file `find . -type f -perm +111 -print` | grep "Mach-O 64-bit executable" | sed 's/:.*//g'
+for exe in ${signed_files}; do
+    run_codesign "${exe}"
+done
 
 # Two additional files that must be signed that aren't caught by the above searches:
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/packages.txt
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Library/QuickLook/QuicklookFCStd.qlgenerator/Contents/MacOS/QuicklookFCStd
+run_codesign "${CONTAINING_FOLDER}/FreeCAD.app/Contents/packages.txt"
+run_codesign "${CONTAINING_FOLDER}/FreeCAD.app/Contents/Library/QuickLook/QuicklookFCStd.qlgenerator/Contents/MacOS/QuicklookFCStd"
 
 # Finally, sign the app itself (must be done last)
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app
+run_codesign "${CONTAINING_FOLDER}/FreeCAD.app"
 
 # Create a disk image from the folder
-DMG_NAME="FreeCAD-${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-${VERSION_SUFFIX}-mac-${ARCH}"
+DMG_NAME="FreeCAD-${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-mac-${ARCH}.dmg"
 echo "Creating disk image ${DMG_NAME}"
 hdiutil create -srcfolder "${CONTAINING_FOLDER}" "${DMG_NAME}"
 
 # Submit it for notarization (requires that an App Store API Key has been set up in the notarytool)
-xcrun notarytool submit --wait --keychain-profile "FreeCAD" ${DMG_NAME}.dmg
+xcrun notarytool submit --wait --keychain-profile "FreeCAD" ${DMG_NAME}
 
 # Assuming that notarization succeeded, it's a good practice to staple that notarization to the DMG
 xcrun stapler staple ${DMG_NAME}