diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f7e4fe2..fdcad35 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,14 +17,17 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    # darwin builds on macOS so the arm64 binary is signed in a way Apple
+    # Silicon's kernel accepts; cross-compiling it on Linux yields a binary the
+    # kernel SIGKILLs at exec.
+    runs-on: ${{ matrix.runner }}
     strategy:
       matrix:
         include:
-          - { goos: darwin, goarch: arm64 }
-          - { goos: linux, goarch: amd64 }
-          - { goos: linux, goarch: arm64 }
-          - { goos: windows, goarch: amd64 }
+          - { runner: macos-14, goos: darwin, goarch: arm64 }
+          - { runner: ubuntu-latest, goos: linux, goarch: amd64 }
+          - { runner: ubuntu-latest, goos: linux, goarch: arm64 }
+          - { runner: ubuntu-latest, goos: windows, goarch: amd64 }
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
diff --git a/install.sh b/install.sh
index 320209c..64c2dfc 100755
--- a/install.sh
+++ b/install.sh
@@ -61,6 +61,13 @@ fi
 
 cp "$tmp/$asset" "$bin_dir/podcli"
 chmod 0755 "$bin_dir/podcli"
+
+# Apple Silicon's kernel kills cross-compiled (Linux-built) arm64 binaries whose
+# signature it won't accept, even with a valid-on-disk ad-hoc signature. Re-sign
+# ad-hoc on the Mac so the binary runs.
+if [ "$goos" = "darwin" ] && command -v codesign >/dev/null 2>&1; then
+  codesign --force --sign - "$bin_dir/podcli" >/dev/null 2>&1 || true
+fi
 echo "  installed: $bin_dir/podcli"
 
 linked=""