diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml
new file mode 100644
index 0000000..f59b66d
--- /dev/null
+++ b/.github/workflows/pack.yml
@@ -0,0 +1,83 @@
+name: Pack installers
+
+on:
+  workflow_dispatch:
+  push:
+    tags: ['v*']
+
+jobs:
+  pack-tarballs-and-windows:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+      - name: Install NSIS for Windows .exe
+        run: sudo apt-get update && sudo apt-get install -y nsis
+      - run: npm ci
+      - run: npm run build
+      - run: npx oclif manifest
+      - name: Pack tarballs (all targets)
+        run: npx oclif pack tarballs --targets=linux-x64,linux-arm64,darwin-x64,darwin-arm64,win32-x64
+      - name: Pack Windows .exe (win32-x64 only)
+        run: npx oclif pack win --targets=win32-x64
+      - name: Upload tarballs + Windows installer
+        uses: actions/upload-artifact@v4
+        with:
+          name: bitmovin-cli-tarballs-and-windows
+          path: |
+            dist/*.tar.gz
+            dist/*.tar.xz
+            dist/win32/*.exe
+          if-no-files-found: error
+          retention-days: 30
+
+  pack-macos:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+      - run: npx oclif manifest
+      - name: Import Developer ID Installer cert into temp keychain
+        env:
+          INSTALLER_CERT_P12_BASE64: ${{ secrets.APPLE_INSTALLER_CERT_P12_BASE64 }}
+          INSTALLER_CERT_PASSWORD: ${{ secrets.APPLE_INSTALLER_CERT_PASSWORD }}
+        run: |
+          KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain"
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 24)
+          P12_PATH="$RUNNER_TEMP/installer.p12"
+          echo "$INSTALLER_CERT_P12_BASE64" | base64 --decode > "$P12_PATH"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import "$P12_PATH" -k "$KEYCHAIN_PATH" -P "$INSTALLER_CERT_PASSWORD" -T /usr/bin/productsign -T /usr/bin/productbuild -T /usr/bin/pkgbuild -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" >/dev/null
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+          rm -f "$P12_PATH"
+          security find-identity -v -p basic "$KEYCHAIN_PATH"
+      - name: Pack tarballs (darwin targets, needed by pack:macos)
+        run: npx oclif pack tarballs --targets=darwin-x64,darwin-arm64
+      - name: Pack macOS .pkg (signed with Developer ID Installer)
+        run: npx oclif pack macos
+      - name: Verify .pkg signatures
+        run: |
+          set -e
+          for pkg in dist/macos/*.pkg; do
+            echo "=== $pkg ==="
+            pkgutil --check-signature "$pkg"
+            echo
+          done
+      - name: Upload macOS .pkg installers
+        uses: actions/upload-artifact@v4
+        with:
+          name: bitmovin-cli-macos
+          path: dist/macos/*.pkg
+          if-no-files-found: error
+          retention-days: 30
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a7af711..e8eb9f7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `bitmovin encoding jobs live <id>` to show live encoding connection details, with JSON output support. Surfaces every assigned stream key (including the per-static-ingest-point keys used by redundant RTMP) and the SRT mode/host/port/path for SRT inputs.
 
   JSON shape note for anyone tracking the unreleased branch: the `--json` output now reports `streamKeys: [{value, ingestPointId, status}]` instead of the singular `streamKey` field that earlier iterations exposed. A `streamKey` alias is still emitted (equal to `streamKeys[0]?.value`) for one-off scripts; redundant RTMP setups should read `streamKeys[]` to get every per-ingest-point key.
+- CI workflow that builds standalone tarballs (macOS, Linux, Windows) plus macOS `.pkg` (signed with Developer ID Installer) and Windows `.exe` installers via `oclif pack` and uploads them as workflow artifacts for internal testing. macOS `.pkg` signature is verified via `pkgutil --check-signature` in CI. GitHub Release publishing, npm publishing, and macOS notarization will follow in subsequent changes.
 
 ### Changed
 
diff --git a/package.json b/package.json
index f730b11..6123dec 100644
--- a/package.json
+++ b/package.json
@@ -37,7 +37,7 @@
     "dist"
   ],
   "scripts": {
-    "prepare": "tsc -b",
+    "prepare": "[ -d dist ] || tsc -b",
     "build": "tsc -b",
     "dev": "tsc -b --watch",
     "test": "vitest run",
@@ -76,6 +76,10 @@
   "oclif": {
     "bin": "bitmovin",
     "dirname": "bitmovin",
+    "macos": {
+      "identifier": "com.bitmovin.cli",
+      "sign": "687757AC438BFBA10137B2912CBC03F8641BB388"
+    },
     "plugins": [
       "@oclif/plugin-autocomplete"
     ],