diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
index 038f69e7..4580351a 100644
--- a/.github/workflows/build-and-release.yml
+++ b/.github/workflows/build-and-release.yml
@@ -217,6 +217,7 @@ jobs:
             echo "APPLE_CERT_P12_BASE64=${{ steps.vault_apple.outputs.APPLE_CERT_P12_BASE64 }}"
             echo "APPLE_CERT_PASSWORD=${{ steps.vault_apple.outputs.APPLE_CERT_PASSWORD }}"
             echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
+            echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
             echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault_apple.outputs.APPLE_KEYCHAIN_PASSWORD }}"
             echo "APPLE_EXPORT_METHOD=${{ steps.vault_apple.outputs.APPLE_EXPORT_METHOD }}"
             echo "WINDOWS_PFX_BASE64=${{ steps.vault_windows.outputs.WINDOWS_PFX_BASE64 }}"
@@ -347,10 +348,6 @@ jobs:
           jwtGithubAudience: vault
           ignoreNotFound: true
           secrets: |
-            kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
-            kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
-            kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
-            kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
             kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_ID | APP_STORE_CONNECT_API_KEY_ID ;
             kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_ISSUER_ID | APP_STORE_CONNECT_ISSUER_ID ;
             kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_P8_BASE64 | APP_STORE_CONNECT_API_KEY_P8_BASE64
@@ -359,10 +356,6 @@ jobs:
         if: ${{ matrix.target != 'github_release' }}
         run: |
           {
-            echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
-            echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
-            echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
-            echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
             echo "APP_STORE_CONNECT_API_KEY_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_ID }}"
             echo "APP_STORE_CONNECT_ISSUER_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_ISSUER_ID }}"
             echo "APP_STORE_CONNECT_API_KEY_P8_BASE64=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_P8_BASE64 }}"
diff --git a/macos/Runner.xcodeproj/project.pbxproj b/macos/Runner.xcodeproj/project.pbxproj
index 0d884d44..ae08df26 100644
--- a/macos/Runner.xcodeproj/project.pbxproj
+++ b/macos/Runner.xcodeproj/project.pbxproj
@@ -687,7 +687,7 @@
 		338D0CEB231458BD00FA5F75 /* Profile */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_STYLE = Automatic;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
diff --git a/scripts/ci/apple_signing.sh b/scripts/ci/apple_signing.sh
index 00808a98..eb430de2 100644
--- a/scripts/ci/apple_signing.sh
+++ b/scripts/ci/apple_signing.sh
@@ -82,3 +82,47 @@ apple_install_provision_profile() {
   export APPLE_SIGNING_PROFILE_PATH="$profile_path"
   apple_register_cleanup "rm -f \"$profile_path\""
 }
+
+apple_install_base64_provision_profile() {
+  local source_var="${1:?base64 source variable is required}"
+  local expected_bundle_id="${2:-}"
+
+  apple_require_signing_vars "$source_var"
+
+  local tmp_dir
+  tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-profile.XXXXXX")"
+  local tmp_profile="$tmp_dir/profile.provisionprofile"
+  local profile_plist="$tmp_dir/profile.plist"
+  apple_register_cleanup "rm -rf \"$tmp_dir\""
+
+  printf '%s' "${!source_var}" | apple_decode_base64 > "$tmp_profile"
+  security cms -D -i "$tmp_profile" > "$profile_plist"
+
+  local profile_uuid profile_name profile_team profile_app_id profile_platform
+  profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print :UUID' "$profile_plist")"
+  profile_name="$(/usr/libexec/PlistBuddy -c 'Print :Name' "$profile_plist")"
+  profile_team="$(/usr/libexec/PlistBuddy -c 'Print :TeamIdentifier:0' "$profile_plist")"
+  profile_app_id="$(/usr/libexec/PlistBuddy -c 'Print :Entitlements:com.apple.application-identifier' "$profile_plist")"
+  profile_platform="$(/usr/libexec/PlistBuddy -c 'Print :Platform:0' "$profile_plist")"
+
+  if [[ "$profile_platform" != "OSX" ]]; then
+    echo "Provisioning profile '$profile_name' targets '$profile_platform', expected 'OSX'." >&2
+    return 1
+  fi
+  if [[ -n "$expected_bundle_id" && "$profile_app_id" != "$profile_team.$expected_bundle_id" ]]; then
+    echo "Provisioning profile '$profile_name' has app identifier '$profile_app_id', expected '$profile_team.$expected_bundle_id'." >&2
+    return 1
+  fi
+
+  local profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
+  local profile_path="$profile_dir/$profile_uuid.provisionprofile"
+  mkdir -p "$profile_dir"
+  mv "$tmp_profile" "$profile_path"
+
+  export APPLE_SIGNING_PROFILE_PATH="$profile_path"
+  export APPLE_SIGNING_PROFILE_UUID="$profile_uuid"
+  export APPLE_SIGNING_PROFILE_NAME="$profile_name"
+  export APPLE_SIGNING_PROFILE_TEAM="$profile_team"
+  apple_register_cleanup "rm -f \"$profile_path\""
+  echo "Installed macOS provisioning profile: $profile_name ($profile_uuid)"
+}
diff --git a/scripts/package-macos-app-store-pkg.sh b/scripts/package-macos-app-store-pkg.sh
index 5eff39fa..544683cd 100755
--- a/scripts/package-macos-app-store-pkg.sh
+++ b/scripts/package-macos-app-store-pkg.sh
@@ -40,25 +40,22 @@ app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
 
 tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
 cleanup() {
+  local status=$?
   rm -rf "$tmp_dir"
+  apple_run_cleanup
+  return "$status"
 }
 trap cleanup EXIT
 
 apple_setup_signing_keychain
+apple_install_base64_provision_profile \
+  APPLE_MAC_PROVISION_PROFILE_BASE64 \
+  plus.svc.xworkmate
 
-apple_decode_base64() {
-  if base64 --help 2>&1 | grep -q -- '--decode'; then
-    base64 --decode
-  else
-    base64 -D
-  fi
-}
-
-profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
-profile_path="$profile_dir/xworkmate-macos.mobileprovision"
-mkdir -p "$profile_dir"
-printf '%s' "$APPLE_MAC_PROVISION_PROFILE_BASE64" | apple_decode_base64 > "$profile_path"
-apple_register_cleanup "rm -f \"$profile_path\""
+if [[ "$APPLE_SIGNING_PROFILE_TEAM" != "N3G9T67W78" ]]; then
+  echo "Provisioning profile team '$APPLE_SIGNING_PROFILE_TEAM' does not match expected team 'N3G9T67W78'." >&2
+  exit 1
+fi
 
 mkdir -p "$DIST_DIR"
 archive_path="$tmp_dir/$APP_NAME.xcarchive"
@@ -80,12 +77,15 @@ xcodebuild archive \
   -scheme Runner \
   -configuration Release \
   -archivePath "$archive_path" \
+  -allowProvisioningUpdates \
+  -allowProvisioningDeviceRegistration \
   DEVELOPMENT_TEAM="N3G9T67W78"
 
 xcodebuild -exportArchive \
   -archivePath "$archive_path" \
   -exportPath "$DIST_DIR" \
-  -exportOptionsPlist "$export_options_path"
+  -exportOptionsPlist "$export_options_path" \
+  -allowProvisioningUpdates
 
 if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
   echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2