diff --git a/taskcluster/ci/build-notarization-part-1/kind.yml b/taskcluster/ci/build-notarization-part-1/kind.yml
new file mode 100644
index 000000000000..e0f4a75fe19e
--- /dev/null
+++ b/taskcluster/ci/build-notarization-part-1/kind.yml
@@ -0,0 +1,27 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+    - taskgraph.transforms.name_sanity:transforms
+    - taskgraph.transforms.build_signing:transforms
+    - taskgraph.transforms.signing:transforms
+    - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+    - build
+
+only-for-attributes:
+    - shippable
+    - nightly
+
+only-for-build-platforms:
+    - macosx64-shippable/opt
+    - macosx64-devedition/opt
+
+job-template:
+    treeherder:
+        symbol: BN
+    enable-signing-routes: false
diff --git a/taskcluster/docs/kinds.rst b/taskcluster/docs/kinds.rst
index 9cd5ce49ade2..e1d8f43d5528 100644
--- a/taskcluster/docs/kinds.rst
+++ b/taskcluster/docs/kinds.rst
@@ -34,6 +34,13 @@ Many builds must be signed. The build-signing task takes the unsigned `build`
 kind artifacts and passes them through signingscriptworker to a signing server
 and returns signed results.
 
+For mac notarization, we download the signed bits that have been notarized by Apple, and we staple the notarization to the app and pkg.
+
+build-notarization-part-1
+-------------------------
+
+We switched to a 3-part mac notarization workflow in bug 1562412. This is the first task, which signs the files and submits them for notarization.
+
 artifact-build
 --------------
 
diff --git a/taskcluster/taskgraph/transforms/build_signing.py b/taskcluster/taskgraph/transforms/build_signing.py
index e72e1ab935fc..fda400d8ea33 100644
--- a/taskcluster/taskgraph/transforms/build_signing.py
+++ b/taskcluster/taskgraph/transforms/build_signing.py
@@ -22,9 +22,10 @@ def add_signed_routes(config, jobs):
 
     for job in jobs:
         dep_job = job['primary-dependency']
+        enable_signing_routes = job.pop('enable-signing-routes', True)
 
         job['routes'] = []
-        if dep_job.attributes.get('shippable'):
+        if dep_job.attributes.get('shippable') and enable_signing_routes:
             for dep_route in dep_job.task.get('routes', []):
                 if not dep_route.startswith('index.gecko.v2'):
                     continue
@@ -32,7 +33,7 @@ def add_signed_routes(config, jobs):
                 rest = ".".join(dep_route.split(".")[4:])
                 job['routes'].append(
                     'index.gecko.v2.{}.signed.{}'.format(branch, rest))
-        if dep_job.attributes.get('nightly'):
+        if dep_job.attributes.get('nightly') and enable_signing_routes:
             for dep_route in dep_job.task.get('routes', []):
                 if not dep_route.startswith('index.gecko.v2'):
                     continue