diff --git a/.gitignore b/.gitignore
index 160b96f74a59ab..425a5ddbec0fca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,7 @@
 /doc/api.xml
 /node
 /node_g
+/gon-config.json
 /*.exe
 /*.swp
 /out
diff --git a/BUILDING.md b/BUILDING.md
index 4f24ebe06c0602..469a4f9281db88 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -167,7 +167,7 @@ Binaries at <https://nodejs.org/download/release/> are produced on:
 | Binary package        | Platform and Toolchain                                                   |
 | --------------------- | ------------------------------------------------------------------------ |
 | aix-ppc64             | AIX 7.1 TL05 on PPC64BE with GCC 6                                       |
-| darwin-x64 (and .pkg) | macOS 10.11, Xcode Command Line Tools 10 with -mmacosx-version-min=10.10 |
+| darwin-x64 (and .pkg) | macOS 10.15, Xcode Command Line Tools 11 with -mmacosx-version-min=10.10 |
 | linux-arm64           | CentOS 7 with devtoolset-6 / GCC 6                                       |
 | linux-armv7l          | Cross-compiled on Ubuntu 16.04 x64 with [custom GCC toolchain](https://github.com/rvagg/rpi-newer-crosstools)   |
 | linux-ppc64le         | CentOS 7 with devtoolset-6 / GCC 6 <sup>[7](#fn7)</sup>                  |
diff --git a/Makefile b/Makefile
index 4ebb16cdfd0672..3a97f15fc3c6a4 100644
--- a/Makefile
+++ b/Makefile
@@ -1003,6 +1003,7 @@ $(PKG): release-only
 		--resources $(MACOSOUTDIR)/installer/productbuild/Resources \
 		--package-path $(MACOSOUTDIR)/pkgs ./$(PKG)
 	SIGN="$(PRODUCTSIGN_CERT)" PKG="$(PKG)" bash tools/osx-productsign.sh
+	bash tools/osx-notarize.sh $(FULLVERSION)
 
 .PHONY: pkg
 # Builds the macOS installer for releases.
diff --git a/deps/npm/node_modules/term-size/vendor/macos/term-size b/deps/npm/node_modules/term-size/vendor/macos/term-size
index e383cc737f8e23..c32a1fdc1b073b 100755
Binary files a/deps/npm/node_modules/term-size/vendor/macos/term-size and b/deps/npm/node_modules/term-size/vendor/macos/term-size differ
diff --git a/tools/osx-codesign.sh b/tools/osx-codesign.sh
index 6a954c737fa4c5..7ca80ca7462c3d 100644
--- a/tools/osx-codesign.sh
+++ b/tools/osx-codesign.sh
@@ -8,4 +8,13 @@ if [ "X$SIGN" == "X" ]; then
   exit 0
 fi
 
-codesign -s "$SIGN" "$PKGDIR"/bin/node
+# All macOS executable binaries in the bundle must be codesigned with the
+# hardened runtime enabled.
+# See https://github.com/nodejs/node/pull/31459
+
+codesign \
+  --sign "$SIGN" \
+  --entitlements tools/osx-entitlements.plist \
+  --options runtime \
+  --timestamp \
+  "$PKGDIR"/bin/node
diff --git a/tools/osx-entitlements.plist b/tools/osx-entitlements.plist
new file mode 100644
index 00000000000000..555c10f7ff8607
--- /dev/null
+++ b/tools/osx-entitlements.plist
@@ -0,0 +1,16 @@
+  <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>
diff --git a/tools/osx-gon-config.json.tmpl b/tools/osx-gon-config.json.tmpl
new file mode 100644
index 00000000000000..3ea16465fc1de5
--- /dev/null
+++ b/tools/osx-gon-config.json.tmpl
@@ -0,0 +1,12 @@
+{
+  "notarize": [{
+    "path": "node-{{pkgid}}.pkg",
+    "bundle_id": "org.nodejs.pkg.{{pkgid}}",
+    "staple": true
+  }],
+
+  "apple_id": {
+     "username": "{{appleid}}",
+     "password": "@env:NOTARIZATION_PASSWORD"
+  }
+}
diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh
new file mode 100755
index 00000000000000..97bb0912722495
--- /dev/null
+++ b/tools/osx-notarize.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-<version>.pkg file
+# with Apple for installation on macOS Catalina and later as validated by Gatekeeper.
+
+set -e
+
+gon_version="0.2.2"
+gon_exe="${HOME}/.gon/gon_${gon_version}"
+
+__dirname="$(CDPATH= cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+pkgid="$1"
+
+if [ "X${pkgid}" == "X" ]; then
+  echo "Usage: $0 <pkgid>"
+  exit 1
+fi
+
+if [ "X$NOTARIZATION_ID" == "X" ]; then
+  echo "No NOTARIZATION_ID environment var. Skipping notarization."
+  exit 0
+fi
+
+set -x
+
+mkdir -p "${HOME}/.gon/"
+
+if [ ! -f "${gon_exe}" ]; then
+  curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
+  (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
+fi
+
+cat tools/osx-gon-config.json.tmpl \
+  | sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" \
+  > gon-config.json
+
+"${gon_exe}" -log-level=info gon-config.json