diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 87810fbdd..556370dab 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -150,6 +150,13 @@ jobs:
           tag: '${{ needs.version.outputs.version_next }}'
           default_author: github_actions
 
+      - name: Retrieve the Apple private key and decode it to a file
+        if: inputs.github_release
+        env:
+          APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }}
+        run: |
+          echo APPLE_PRIVATE_KEY | base64 --decode > ./secret/apple_private_key.p8
+
       - name: Conveyor build apps
         uses: hydraulic-software/conveyor/actions/build@v11.4
         if: inputs.github_release
@@ -158,8 +165,8 @@ jobs:
           signing_key: ${{ secrets.CONVEYOR_SIGNING_KEY }}
           agree_to_license: 1
         env:
-          APPLE_ASP: ${{ secrets.APPLE_ASP }}
-          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ISSUER_ID: ${{ secrets.APPLE_ISSUER_ID }}
+          APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
 
       - name: Adjust Conveyor output
         if: inputs.github_release
diff --git a/.gitignore b/.gitignore
index 55302487a..43a0a4c33 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,3 +52,4 @@ application-oauth2.yml
 
 ### Conveyor
 output/
+secret/
diff --git a/conveyor.ci.conf b/conveyor.ci.conf
index e50ec9124..f9bd393bb 100644
--- a/conveyor.ci.conf
+++ b/conveyor.ci.conf
@@ -4,8 +4,9 @@ app {
     mac.certificate = apple.cer
 
     mac.notarization {
-        app-specific-password = ${env.APPLE_ASP}
-        team-id = GCZZU2X3J2
-        apple-id = ${env.APPLE_ID}
+        issuer-id = ${env.APPLE_ISSUER_ID}
+        key-id = ${env.APPLE_KEY_ID}
+        ; the secret is written to file by CI from Gihub Secrets
+        private-key = ./secret/apple_private_key.p8
     }
 }