diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
index e3dfd3a8e..d4da15e86 100644
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -54,10 +54,12 @@ jobs:
 
       - name: Build mac production binaries
         if: runner.os == 'macOS'
-        run: $(yarn bin)/electron-builder --config.extraMetadata.environment=$SIGNAL_ENV --config.mac.bundleVersion=${{ github.ref }} --publish=never --config.directories.output=release
+        run: |
+          source ./build/setup-mac-certificate.sh
+          $(yarn bin)/electron-builder --config.extraMetadata.environment=$SIGNAL_ENV --config.mac.bundleVersion=${{ github.ref }} --publish=never --config.directories.output=release
         env:
-          CSC_LINK: ${{ secrets.MAC_CERTIFICATE }}
-          CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
+          MAC_CERTIFICATE: ${{ secrets.MAC_CERTIFICATE }}
+          MAC_CERTIFICATE_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
           SIGNING_APPLE_ID: ${{ secrets.SIGNING_APPLE_ID }}
           SIGNING_APP_PASSWORD: ${{ secrets.SIGNING_APP_PASSWORD }}
           SIGNING_TEAM_ID: ${{ secrets.SIGNING_TEAM_ID }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2ea6585df..5d61ca569 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,10 +51,12 @@ jobs:
 
       - name: Build mac production binaries
         if: runner.os == 'macOS'
-        run: $(yarn bin)/electron-builder --config.extraMetadata.environment=$SIGNAL_ENV --config.mac.bundleVersion=${{ github.ref }} --publish=always
+        run: |
+          source ./build/setup-mac-certificate.sh
+          $(yarn bin)/electron-builder --config.extraMetadata.environment=$SIGNAL_ENV --config.mac.bundleVersion=${{ github.ref }} --publish=always
         env:
-          CSC_LINK: ${{ secrets.MAC_CERTIFICATE }}
-          CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
+          MAC_CERTIFICATE: ${{ secrets.MAC_CERTIFICATE }}
+          MAC_CERTIFICATE_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
           SIGNING_APPLE_ID: ${{ secrets.SIGNING_APPLE_ID }}
           SIGNING_APP_PASSWORD: ${{ secrets.SIGNING_APP_PASSWORD }}
           SIGNING_TEAM_ID: ${{ secrets.SIGNING_TEAM_ID }}
diff --git a/build/setup-mac-certificate.sh b/build/setup-mac-certificate.sh
new file mode 100755
index 000000000..60d964b0c
--- /dev/null
+++ b/build/setup-mac-certificate.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+if [ -z "$MAC_CERTIFICATE" ]; then
+  echo "MAC_CERTIFICATE not set. Ignoring."
+else
+  export CSC_LINK="$MAC_CERTIFICATE"
+  echo "MAC_CERTIFICATE found."
+fi
+
+if [ -z "$MAC_CERTIFICATE_PASSWORD" ]; then
+  echo "MAC_CERTIFICATE_PASSWORD not set. Ignoring."
+else
+  export CSC_KEY_PASSWORD="$MAC_CERTIFICATE_PASSWORD"
+  echo "MAC_CERTIFICATE_PASSWORD found."
+fi