diff --git a/src/packaging/MacOS/pkgbuild.sh.in b/src/packaging/MacOS/pkgbuild.sh.in
index 8d97cbf73b..4c4d629bb6 100644
--- a/src/packaging/MacOS/pkgbuild.sh.in
+++ b/src/packaging/MacOS/pkgbuild.sh.in
@@ -33,6 +33,8 @@ INST_KEY=
 DEST_DIR=
 CSDB=
 
+CODESIGN_OPTS=
+
 while [ x"$#" != x0 ] ; do
     key="$1"
     shift
@@ -152,6 +154,11 @@ else
     exit 1
 fi
 
+if [ $THISREL -ge 14 ]; then
+    # Enable the Hardened Runtime capability, required as of 10.14.5.
+    CODESIGN_OPTS="--options runtime"
+fi
+
 SEP=:
 
 PKGROOT="$CURDIR"/pkgroot
@@ -326,9 +333,13 @@ if [ x"$PASS1" = x1 ]; then
 		   "$PKGROOT"/Library/OpenAFS/Tools/tools/aklog.bundle \
 		   "$PLUGINS"/afscell.bundle
 	do
-	    codesign --verbose --force --timestamp --sign "$APP_KEY" "$obj"
+	    codesign --verbose --force --timestamp --sign "$APP_KEY" $CODESIGN_OPTS "$obj"
 	done
 
+	# To be notarized by Apple, all files must be signed.
+	find "$PKGROOT" -type f -exec codesign --verbose --force \
+	    --timestamp --sign "$APP_KEY" $CODESIGN_OPTS {} \;
+
 	# Check if our signatures for our kexts are valid. 'kextutil' will exit
 	# with an error and print out a message if something is wrong with the
 	# signature. Note that a code signing cert must have the