diff --git a/RELEASE.md b/RELEASE.md
new file mode 100644
index 0000000..280d034
--- /dev/null
+++ b/RELEASE.md
@@ -0,0 +1,68 @@
+# Release instructions
+
+This section documents the release process. Unless you're a dangerzone developer making a release, you'll probably never need to follow it.
+
+## Changelog, version, and signed git tag
+
+Before making a release, all of these should be complete:
+
+* Update `dangerzone_version` in `dangerzone/__init__.py`
+* Update `ProductVersion` in `install/windows/Dangerzone.wxs`
+* CHANGELOG.md should be updated to include a list of all major changes since the last release
+* There must be a PGP-signed git tag for the version, e.g. for dangerzone 0.1.0, the tag must be `v0.1.0`
+
+Before making a release, verify the release git tag:
+
+```
+git fetch
+git tag -v v$VERSION
+```
+
+If the tag verifies successfully, check it out, and also its submodules:
+
+```
+git checkout v$VERSION
+git submodule init
+git submodule update
+```
+
+## macOS release
+
+To make a macOS release, go to macOS build machine:
+
+- Build machine must have:
+  - macOS 10.14
+  - Apple-trusted `Developer ID Application: FIRST LOOK PRODUCTIONS, INC.` and `Developer ID Installer: FIRST LOOK PRODUCTIONS, INC.` code-signing certificates installed
+  - An app-specific Apple ID password saved in the login keychain called `flockagent-notarize`
+- Verify and checkout the git tag for this release
+- Run `poetry run ./install/macos/build_app.py --with-codesign`; this will make `dist/Dangerzone.dmg`
+- Notarize it: `xcrun altool --notarize-app --primary-bundle-id "media.firstlook.dangerzone" -u "micah@firstlook.org" -p "@keychain:dangerzone-notarize" --file dist/Dangerzone.dmg`
+- Wait for it to get approved, check status with: `xcrun altool --notarization-history 0 -u "micah@firstlook.org" -p "@keychain:dangerzone-notarize"`
+- (If it gets rejected, you can see why with: `xcrun altool --notarization-info [RequestUUID] -u "micah@firstlook.org" -p "@keychain:dangerzone-notarize"`)
+- After it's approved, staple the ticket: `xcrun stapler staple dist/Dangerzone.dmg`
+
+This process ends up with the final file:
+
+```
+dist/Dangerzone.dmg
+```
+
+Rename it `Dangerzone-$VERSION.dmg` before publishing.
+
+## Windows release
+
+To make a Windows release, go to the Windows build machine:
+
+- Build machine should be running Windows 10, and have the Windows codesigning certificate installed
+- Verify and checkout the git tag for this release
+- Run `install\windows\build.bat`; this will make a codesigned installer package called `dist\Dangerzone-$VERSION.msi`
+
+## Linux release
+
+Linux binaries are automatically built and deployed to repositories when a new tag is pushed.
+
+## Publishing the release
+
+To publish the release:
+
+- Create a new release on GitHub, put the changelog in the description of the release, and upload the macOS and Windows installers
\ No newline at end of file