diff --git a/CHANGELOG.md b/CHANGELOG.md
index 791144a1..cf602b41 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   at build time. ([#407](https://github.com/ipetkov/crane/pull/407))
 * Fixed handling of dummy target names to avoid issues with `cargo doc`.
   ([#410](https://github.com/ipetkov/crane/pull/410))
+* `removeReferencesToVendoredSources` now signs `aarch64-darwin` binaries. ([#418](https://github.com/ipetkov/crane/pull/418))
 
 ## [0.14.1] - 2023-09-23
 
diff --git a/checks/codesign/Cargo.lock b/checks/codesign/Cargo.lock
new file mode 100644
index 00000000..f2c52e59
--- /dev/null
+++ b/checks/codesign/Cargo.lock
@@ -0,0 +1,143 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "bitflags"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635"
+
+[[package]]
+name = "cc"
+version = "1.0.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "codesign"
+version = "0.1.0"
+dependencies = [
+ "openssl",
+]
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "libc"
+version = "0.2.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b"
+
+[[package]]
+name = "once_cell"
+version = "1.18.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"
+
+[[package]]
+name = "openssl"
+version = "0.10.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bac25ee399abb46215765b1cb35bc0212377e58a061560d8b29b024fd0430e7c"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.93"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db4d56a4c0478783083cfafcc42493dd4a981d41669da64b4572a2a089b51b1d"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.33"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.38"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
diff --git a/checks/codesign/Cargo.toml b/checks/codesign/Cargo.toml
new file mode 100644
index 00000000..31b4a7e3
--- /dev/null
+++ b/checks/codesign/Cargo.toml
@@ -0,0 +1,10 @@
+[package]
+name = "codesign"
+version = "0.1.0"
+edition = "2021"
+
+[profile.release]
+debug = true
+
+[dependencies]
+openssl = "*"
diff --git a/checks/codesign/src/main.rs b/checks/codesign/src/main.rs
new file mode 100644
index 00000000..2a4b787e
--- /dev/null
+++ b/checks/codesign/src/main.rs
@@ -0,0 +1,3 @@
+fn main() {
+    openssl::ssl::SslConnector::builder(openssl::ssl::SslMethod::tls()).unwrap();
+}
diff --git a/checks/default.nix b/checks/default.nix
index c15a6a16..0514c184 100644
--- a/checks/default.nix
+++ b/checks/default.nix
@@ -12,6 +12,7 @@ let
     extensions = [ "llvm-tools" ];
   });
   x64Linux = pkgs.hostPlatform.system == "x86_64-linux";
+  aarch64Darwin = pkgs.hostPlatform.system == "aarch64-darwin";
 in
 {
   cleanCargoTomlTests = callPackage ./cleanCargoTomlTests { };
@@ -107,6 +108,20 @@ in
     };
   });
 
+  # https://github.com/ipetkov/crane/issues/417
+  codesign = lib.optionalAttrs aarch64Darwin (
+    let
+      codesignPackage = myLib.buildPackage {
+        src = ./codesign;
+        cargoArtifacts = null;
+        nativeBuildInputs = [ pkgs.pkg-config pkgs.libiconv ];
+        buildInputs = [ pkgs.openssl ];
+        dontStrip = true;
+      };
+    in
+    pkgs.runCommand "codesign" { } "${codesignPackage}/bin/codesign > $out"
+  );
+
   compilesFresh = callPackage ./compilesFresh.nix { };
   compilesFreshSimple = self.compilesFresh "simple" (myLib.cargoBuild) {
     src = ./simple;
diff --git a/docs/API.md b/docs/API.md
index 67beb36e..fac26c47 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -1546,6 +1546,8 @@ sources themselves. It takes two positional arguments:
    * Note: it is expected that this directory has the exact structure as would
      be produced by `craneLib.vendorCargoDeps`
 
+Any patched binaries on `aarch64-darwin` will be [signed](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). You can disable this functionality by setting `doNotSign`.
+
 **Automatic behavior:** if `cargoVendorDir` is set and
 `doNotRemoveReferencesToVendorDir` is not set, then
 `removeReferencesToVendoredSources "$out" "$cargoVendorDir"` will be run as a
diff --git a/lib/setupHooks/removeReferencesToVendoredSources.nix b/lib/setupHooks/removeReferencesToVendoredSources.nix
index 54595d3c..5acec95e 100644
--- a/lib/setupHooks/removeReferencesToVendoredSources.nix
+++ b/lib/setupHooks/removeReferencesToVendoredSources.nix
@@ -1,10 +1,18 @@
-{ makeSetupHook
+{ darwin
+, lib
+, makeSetupHook
+, stdenv
 }:
 
+let
+  darwinCodeSign = stdenv.targetPlatform.isDarwin && stdenv.targetPlatform.isAarch64;
+in
 makeSetupHook
 {
   name = "removeReferencesToVendoredSourcesHook";
   substitutions = {
     storeDir = builtins.storeDir;
+    sourceSigningUtils = if darwinCodeSign then "source ${darwin.signingUtils}" else null;
+    signIfRequired = if darwinCodeSign then ''if [ -z "''${doNotSign-}" ]; then signIfRequired "''${installedFile}"; fi'' else null;
   };
 } ./removeReferencesToVendoredSourcesHook.sh
diff --git a/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh b/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh
index a23dfd2e..4a214c47 100644
--- a/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh
+++ b/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh
@@ -26,9 +26,13 @@ removeReferencesToVendoredSources() {
 
       echo -n '\)!@storeDir@/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!g'
     )
+
+    @signIfRequired@
   done < <(find "${installLocation}" -type f)
 }
 
+@sourceSigningUtils@
+
 if [ -n "${doNotRemoveReferencesToVendorDir-}" ]; then
   echo "removeReferencesToVendoredSources disabled"
 elif [ -n "${cargoVendorDir-}" ]; then