diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index d2e4757209e..3d95f2196e8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -61,7 +61,7 @@ jobs:
         # 1. Download keychain from GH secrets and decode it from base64
         # 2. Add the keychain to the system keychains and unlock it
         # 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
-        # 4. Repackage the signed binary replaced in place by Gon
+        # 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
         # 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
         run: |
           echo "${{ secrets.KEYCHAIN }}" | base64 --decode  > ~/Library/Keychains/apple-developer.keychain-db
diff --git a/gon.config.hcl b/gon.config.hcl
index 41a6cadb604..a804b259c67 100644
--- a/gon.config.hcl
+++ b/gon.config.hcl
@@ -4,3 +4,9 @@ bundle_id = "cc.arduino.arduino-cli"
 sign {
   application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
 }
+
+# Ask Gon for zip output to force notarization process to take place.
+# The CI will ignore the zip output, using the signed binary only.
+zip {
+  output_path = "arduino-cli.zip"
+}