diff --git a/.github/workflows/macos-notarize.yml b/.github/workflows/macos-notarize.yml
index c826dbfc..5f2d42dd 100644
--- a/.github/workflows/macos-notarize.yml
+++ b/.github/workflows/macos-notarize.yml
@@ -105,10 +105,14 @@ jobs:
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp --options runtime \
             "$SPARKLE/Updater.app"
 
-          # Sign the framework version and top-level
-          codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$SPARKLE"
+          # Sign the Sparkle dylib itself before signing the framework bundle
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp \
-            "Nook.app/Contents/Frameworks/Sparkle.framework"
+            "$SPARKLE/Sparkle"
+
+          # Sign the framework version (Versions/B) — do NOT also sign the
+          # top-level Sparkle.framework symlink; it resolves to the same Versions/B
+          # directory and double-signing would invalidate the signature.
+          codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$SPARKLE"
 
           # Re-sign the main app with entitlements and hardened runtime
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp \
@@ -116,6 +120,9 @@ jobs:
             --entitlements "$(pwd)/Nook/Nook.entitlements" \
             "Nook.app"
 
+      - name: Verify signature before notarizing
+        run: codesign --verify --deep --strict --verbose=2 "Nook.app"
+
       - name: Notarize app
         env:
           APPLE_ID: ${{ secrets.APPLE_ID }}
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 00000000..1eb04376
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,21 @@
+[submodule "Fuzi"]
+	path = Fuzi
+	url = https://github.com/cezheng/Fuzi.git
+[submodule "Highlightr"]
+	path = Highlightr
+	url = https://github.com/raspu/Highlightr.git
+[submodule "LRUCache"]
+	path = LRUCache
+	url = https://github.com/nicklockwood/LRUCache.git
+[submodule "Motion"]
+	path = Motion
+	url = https://github.com/b3ll/Motion.git
+[submodule "reeeed"]
+	path = reeeed
+	url = https://github.com/nate-parrott/reeeed.git
+[submodule "swift-atomics"]
+	path = swift-atomics
+	url = https://github.com/apple/swift-atomics.git
+[submodule "swift-numerics"]
+	path = swift-numerics
+	url = https://github.com/apple/swift-numerics.git