diff --git a/build/entitlements-sandbox.mac.plist b/build/entitlements-sandbox.mac.plist
new file mode 100644
index 000000000..e3c0aaefe
--- /dev/null
+++ b/build/entitlements-sandbox.mac.plist
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- https://github.com/electron/electron-notarize#prerequisites -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+
+    <!-- https://github.com/electron-userland/electron-builder/issues/3940 -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+
+    <!-- Enable the app sandbox -->
+    <key>com.apple.security.app-sandbox</key>
+    <true/>
+    <key>com.apple.security.inherit</key>
+    <true/>
+
+    <!-- Allow opening outgoing network connections -->
+    <key>com.apple.security.network.client</key>
+    <true/>
+
+    <!-- Allow opening & saving files for upload & download -->
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+
+    <!-- Access to camera & microphone for calls ->
+    <key>com.apple.security.device.camera</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+</dict>
+</plist>
diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
index 9b66d24bd..8f8d787b1 100644
--- a/build/entitlements.mac.plist
+++ b/build/entitlements.mac.plist
@@ -10,10 +10,6 @@
     <key>com.apple.security.cs.disable-library-validation</key>
     <true/>
 
-    <!-- Enable the app sandbox -->
-    <key>com.apple.security.app-sandbox</key>
-    <true/>
-
     <!-- Allow opening outgoing network connections -->
     <key>com.apple.security.network.client</key>
     <true/>
diff --git a/electron-builder.ts b/electron-builder.ts
index bfd636118..e996979c1 100644
--- a/electron-builder.ts
+++ b/electron-builder.ts
@@ -182,11 +182,13 @@ if (process.env.ED_SIGNTOOL_SUBJECT_NAME && process.env.ED_SIGNTOOL_THUMBPRINT)
 /**
  * Allow specifying ElectronTeamID via env vars
  * @param {string} process.env.APPLE_TEAM_ID
+ * Workaround for https://github.com/electron-userland/electron-builder/issues/7995
  */
 if (process.env.APPLE_TEAM_ID) {
     config.mac.extendInfo = {
         ElectronTeamID: process.env.APPLE_TEAM_ID,
     };
+    config.mac.entitlements = "./build/entitlements-sandbox.mac.plist";
 }
 
 /**