diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 3ea9a177..7f57957a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -299,7 +299,7 @@ jobs:
     runs-on: macos-latest
 
     env:
-      QT_VERSION: 6.4.3
+      QT_VERSION: 6.8.0
       QIF_VERSION: 4.6
       QT_MIRROR: https://mirrors.ocf.berkeley.edu/qt/
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
@@ -309,7 +309,7 @@ jobs:
     - name: 'Setup Xcode'
       uses: maxim-lobanov/setup-xcode@v1
       with:
-        xcode-version: '14.3.1'
+        xcode-version: '16.1.0'
 
     - name: 'Install desktop Qt'
       uses: jurplel/install-qt-action@v3
@@ -317,7 +317,7 @@ jobs:
         version: ${{ env.QT_VERSION }}
         host: 'mac'
         target: 'desktop'
-        modules: 'qtremoteobjects qt5compat qtshadertools qtmultimedia'
+        modules: 'qtremoteobjects qt5compat qtshadertools qtmultimedia qtimageformats'
         arch: 'clang_64'
         dir: ${{ runner.temp }}
         set-env: 'true'
@@ -345,19 +345,27 @@ jobs:
     - name: 'Set execute permissions for deploy script'
       run: chmod +x deploy/build_macos_ne.sh
 
-    # - name: 'Build and deploy macOS NE'
-    #   run: |
-    #     export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-    #     export QIF_BIN_DIR="${{ runner.temp }}/Qt/Tools/QtInstallerFramework/${{ env.QIF_VERSION }}/bin"
-    #     export QT_MACOS_ROOT_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos"
-    #     bash deploy/build_macos_ne.sh
-    #   env:
-    #     APPSTORE_CONNECT_KEY_ID: ${{ secrets.APPSTORE_CONNECT_KEY_ID }}
-    #     APPSTORE_CONNECT_ISSUER_ID: ${{ secrets.APPSTORE_CONNECT_ISSUER_ID }}
-    #     APPSTORE_CONNECT_PRIVATE_KEY: ${{ secrets.APPSTORE_CONNECT_PRIVATE_KEY }}
-    #     MAC_TRUST_CERT_BASE64: ${{ secrets.IOS_TRUST_CERT_BASE64 }}
-    #     MAC_SIGNING_CERT_BASE64: ${{ secrets.IOS_SIGNING_CERT_BASE64 }}
-    #     MAC_SIGNING_CERT_PASSWORD: ${{ secrets.IOS_SIGNING_CERT_PASSWORD }}
+    - name: 'Build and deploy macOS NE'
+      run: |
+        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin" 
+        export QT_MACOS_ROOT_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos" 
+        bash deploy/build_macos_ne.sh
+      env:
+        MAC_TRUST_CERT_BASE64: ${{ secrets.MAC_TRUST_CERT_BASE64 }}
+        MAC_SIGNING_CERT_BASE64: ${{ secrets.MAC_SIGNING_CERT_BASE64 }}
+        MAC_SIGNING_CERT_PASSWORD: ${{ secrets.MAC_SIGNING_CERT_PASSWORD }}
+        APPSTORE_CONNECT_MAC_PROVISIONING_BASE64: ${{ secrets.APPSTORE_CONNECT_MAC_PROVISIONING }}
+        APPSTORE_CONNECT_MAC_NE_PROVISIONING_BASE64: ${{ secrets.APPSTORE_CONNECT_MAC_NE_PROVISIONING }}
+        APPSTORE_CONNECT_KEY_ID: ${{ secrets.APPSTORE_CONNECT_KEY_ID }}
+        APPSTORE_CONNECT_ISSUER_ID: ${{ secrets.APPSTORE_CONNECT_ISSUER_ID }}
+        APPSTORE_CONNECT_PRIVATE_KEY: ${{ secrets.APPSTORE_CONNECT_PRIVATE_KEY }}
+    - name: 'Upload macOS .dmg and dSYMs to artifacts'
+      uses: actions/upload-artifact@v4
+      with:
+        name: macos dmg & dsyms
+        path: |
+          ${{ github.workspace }}/AmneziaVPN.dmg
+        retention-days: 7
 # ------------------------------------------------------
 
   Build-Android:
diff --git a/deploy/build_macos_ne.sh b/deploy/build_macos_ne.sh
index 4c21ec02..066bf4f6 100755
--- a/deploy/build_macos_ne.sh
+++ b/deploy/build_macos_ne.sh
@@ -14,8 +14,8 @@ done
 PROJECT_DIR=$(pwd)
 DEPLOY_DIR=$PROJECT_DIR/deploy
 
-mkdir -p $DEPLOY_DIR/build
-BUILD_DIR=$DEPLOY_DIR/build
+mkdir -p $DEPLOY_DIR/build-macos
+BUILD_DIR=$DEPLOY_DIR/build-macos
 
 echo "Project dir: ${PROJECT_DIR}" 
 echo "Build dir: ${BUILD_DIR}"
@@ -35,100 +35,89 @@ INSTALLER_DATA_DIR=$BUILD_DIR/installer/packages/$APP_DOMAIN/data
 INSTALLER_BUNDLE_DIR=$BUILD_DIR/installer/$APP_FILENAME
 DMG_FILENAME=$PROJECT_DIR/${APP_NAME}.dmg
 
+echo "Import certificate"
+
+TRUST_CERT_CER=$BUILD_DIR/trust-cert.cer
+SIGNING_CERT_P12=$BUILD_DIR/signing-cert.p12
+
+echo $MAC_TRUST_CERT_BASE64 | base64 --decode > $TRUST_CERT_CER
+echo $MAC_SIGNING_CERT_BASE64 | base64 --decode > $SIGNING_CERT_P12
+
+shasum -a 256 $TRUST_CERT_CER
+shasum -a 256 $SIGNING_CERT_P12
+KEYCHAIN_PASS=$MAC_SIGNING_CERT_PASSWORD
+
+# Keychain setup
+KEYCHAIN=amnezia.build.macos.keychain
+TEMP_PASS=tmp_pass
+KEYCHAIN_FILE=$HOME/Library/Keychains/$KEYCHAIN-db
+
+security create-keychain -p $TEMP_PASS $KEYCHAIN || true
+security default-keychain -s $KEYCHAIN
+security unlock-keychain -p $TEMP_PASS $KEYCHAIN
+
+security default-keychain
+security list-keychains
+
+# Import certificates into keychain
+security import $TRUST_CERT_CER -k $KEYCHAIN -P "" -T /usr/bin/codesign || true
+security import $SIGNING_CERT_P12 -k $KEYCHAIN -P $MAC_SIGNING_CERT_PASSWORD -T /usr/bin/codesign || true
+
+# Configure keychain settings
+security set-key-partition-list -S apple-tool:,apple: -k $TEMP_PASS $KEYCHAIN
+security find-identity -p codesigning
+
 # Setup provisioning profiles for main app and NE
 echo "Setting up provisioning profiles..."
 
-# Tạo thư mục Provisioning Profiles nếu chưa tồn tại
-mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+PROVISIONING_PROFILE_PATH=$BUILD_DIR/macos_app_provisioning.mobileprovision
+echo $APPSTORE_CONNECT_MAC_PROVISIONING_BASE64 | base64 --decode > "$PROVISIONING_PROFILE_PATH"
+shasum -a 256 "$PROVISIONING_PROFILE_PATH"
 
-# Setup provisioning profile cho main app
-echo "Setting up provisioning profile for main app (AmneziaVPN)"
-cp $PROJECT_DIR/deploy/AnhTVMacOSMain.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/
-macos_main_uuid=$(grep UUID -A1 -a ~/Library/MobileDevice/Provisioning\ Profiles/AnhTVMacOSMain.provisionprofile | grep -io "[-A-F0-9]\{36\}")
-mv ~/Library/MobileDevice/Provisioning\ Profiles/AnhTVMacOSMain.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/$macos_main_uuid.mobileprovision
+NE_PROVISIONING_PROFILE_PATH=$BUILD_DIR/macos_ne_provisioning.mobileprovision
+echo $APPSTORE_CONNECT_MAC_NE_PROVISIONING_BASE64 | base64 --decode > "$NE_PROVISIONING_PROFILE_PATH"
+shasum -a 256 "$NE_PROVISIONING_PROFILE_PATH"
 
-# Setup provisioning profile cho Network Extension (NE)
-echo "Setting up provisioning profile for Network Extension"
-cp $PROJECT_DIR/deploy/AnhTVMacOSNE.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/macos_ne.mobileprovision
-macos_ne_uuid=$(grep UUID -A1 -a ~/Library/MobileDevice/Provisioning\ Profiles/macos_ne.mobileprovision | grep -io "[-A-F0-9]\{36\}")
-mv ~/Library/MobileDevice/Provisioning\ Profiles/macos_ne.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/$macos_ne_uuid.mobileprovision
+# setup environment
+QT_MACOS_BIN=$QT_BIN_DIR
+export PATH=$PATH:~/go/bin
+echo "QT_BIN_DIR: $QT_BIN_DIR"
 
-# Decode and install signing certificates
-echo "Installing signing certificates..."
-echo $MAC_TRUST_CERT_BASE64 | base64 --decode > mac_trust_cert.pem
-echo $MAC_SIGNING_CERT_BASE64 | base64 --decode > mac_signing_cert.p12
-
-# Install certificates into keychain
-security create-keychain -p password build.keychain
-security default-keychain -s build.keychain
-security unlock-keychain -p password build.keychain
-security import mac_trust_cert.pem -k build.keychain -A
-security import mac_signing_cert.p12 -k build.keychain -P $MAC_SIGNING_CERT_PASSWORD -A
-
-# Establish the keychain settings for the signing process
-security set-key-partition-list -S apple-tool:,apple: -s -k password build.keychain
-
-# Check if QIF_VERSION is properly set, otherwise set a default
-if [ -z "${QIF_VERSION+x}" ]; then
-  echo "QIF_VERSION is not set, using default 4.6"
-  QIF_VERSION=4.6
-fi
-
-QIF_BIN_DIR="$QT_BIN_DIR/../../../Tools/QtInstallerFramework/$QIF_VERSION/bin"
-
-# Checking environment
-$QT_BIN_DIR/qt-cmake --version || { echo "Error: qt-cmake not found in $QT_BIN_DIR"; exit 1; }
-cmake --version || { echo "Error: cmake not found"; exit 1; }
-clang -v || { echo "Error: clang not found"; exit 1; }
 
 # Build the Network Extension app
-echo "Building Network Extension App..."
-mkdir -p build-macos-ne
-cd build-macos-ne
+echo "Building MAC Network Extension App..."
+mkdir -p build-macos
 
-$QT_BIN_DIR/qt-cmake .. -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR -DMACOS_NE=TRUE
-cmake --build . --config release --target AmneziaVPN -- -allowProvisioningUpdates # Thay đổi target phù hợp cho Network Extension
+$QT_MACOS_BIN/qt-cmake . -B build-macos -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR -DMACOS_NE=TRUE -DCMAKE_BUILD_TYPE=Release
 
 # Build and run tests here
 
 echo "____________________________________"
-echo "............Deploy.................."
+echo "............Deploying..............."
 echo "____________________________________"
+echo "Deploying MAC Network Extension App..."
 
-# Package Network Extension
-echo "Packaging Network Extension ..."
+mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles/
+echo $APPSTORE_CONNECT_MAC_PROVISIONING_BASE64 | base64 --decode > ~/Library/MobileDevice/Provisioning\ Profiles/macos_app.mobileprovision
+echo $APPSTORE_CONNECT_MAC_NE_PROVISIONING_BASE64 | base64 --decode > ~/Library/MobileDevice/Provisioning\ Profiles/macos_ne.mobileprovision
 
-# Copy necessary data
-cp -Rv $PREBUILT_DEPLOY_DATA_DIR/* $BUNDLE_DIR/Contents/macOS
-$QT_BIN_DIR/macdeployqt $OUT_APP_DIR/$APP_FILENAME -always-overwrite -qmldir=$PROJECT_DIR
-cp -av $BUILD_DIR/service/server/$APP_NAME-service $BUNDLE_DIR/Contents/macOS
-cp -Rv $PROJECT_DIR/deploy/data/macos/* $BUNDLE_DIR/Contents/macOS
+echo "xcode build"
+xcodebuild \
+"OTHER_CODE_SIGN_FLAGS=--keychain '$KEYCHAIN_FILE'" \
+-configuration Release \
+-scheme AmneziaVPN \
+-destination "platform=macOS" \
+-project $PROJECT_DIR/build-macos/AmneziaVPN.xcodeproj
 
-# Signing and notarizing the Network Extension
-if [ "${MAC_CERT_PW+x}" ]; then
-  CERTIFICATE_P12=$DEPLOY_DIR/PrivacyTechAppleCertDeveloperId.p12
-  WWDRCA=$DEPLOY_DIR/WWDRCA.cer
-  KEYCHAIN=amnezia.build.macos.keychain
-  TEMP_PASS=tmp_pass
+echo "Packaging MAC Network Extension App..."
+hdiutil create -volname "$APP_NAME" \
+  -srcfolder "$PROJECT_DIR/build-macos/client/Release/$APP_FILENAME" \
+  -ov \
+  -format UDZO \
+  "$DMG_FILENAME"
 
-  security create-keychain -p $TEMP_PASS $KEYCHAIN || true
-  security default-keychain -s $KEYCHAIN
-  security unlock-keychain -p $TEMP_PASS $KEYCHAIN
+# Restore keychain to default
+echo "Restoring default keychain..."
+security default-keychain -s "/Users/runner/Library/Keychains/login.keychain-db"
 
-  security import $WWDRCA -k $KEYCHAIN -T /usr/bin/codesign || true
-  security import $CERTIFICATE_P12 -k $KEYCHAIN -P $MAC_CERT_PW -T /usr/bin/codesign || true
-
-  echo "Signing Network Extension..."
-  /usr/bin/codesign --deep --force --verbose --timestamp -o runtime --sign "$MAC_SIGNER_ID" $BUNDLE_DIR
-  spctl -a -vvvv $BUNDLE_DIR || true
-
-  if [ "${NOTARIZE_APP+x}" ]; then
-    echo "Notarizing Network Extension bundle..."
-    /usr/bin/ditto -c -k --keepParent $BUNDLE_DIR $PROJECT_DIR/NE_Bundle_to_notarize.zip
-    xcrun notarytool submit $PROJECT_DIR/NE_Bundle_to_notarize.zip --apple-id $APPLE_DEV_EMAIL --team-id $MAC_TEAM_ID --password $APPLE_DEV_PASSWORD
-    rm $PROJECT_DIR/NE_Bundle_to_notarize.zip
-    sleep 300
-    xcrun stapler staple $BUNDLE_DIR
-    spctl -a -vvvv $BUNDLE_DIR || true
-  fi
-fi
+echo "Build and signing process completed successfully!"
\ No newline at end of file