diff --git a/.gitmodules b/.gitmodules
index 28c5f3dda4..95ed8e1665 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,7 +4,7 @@
 	url=../rlottie.git
 [submodule "build-system/bazel-rules/rules_apple"]
 	path = build-system/bazel-rules/rules_apple
-url=https://github.com/bazelbuild/rules_apple.git
+url=https://github.com/ali-fareed/rules_apple.git
 [submodule "build-system/bazel-rules/rules_swift"]
 	path = build-system/bazel-rules/rules_swift
 url=https://github.com/bazelbuild/rules_swift.git
diff --git a/WORKSPACE b/WORKSPACE
index a41ed5cce6..ecc527cbb5 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -53,8 +53,8 @@ bazel_skylib_workspace()
 
 http_file(
     name = "cmake_tar_gz",
-    urls = ["https://github.com/Kitware/CMake/releases/download/v3.19.2/cmake-3.19.2-macos-universal.tar.gz"],
-    sha256 = "50afa2cb66bea6a0314ef28034f3ff1647325e30cf5940f97906a56fd9640bd8",
+    urls = ["https://github.com/Kitware/CMake/releases/download/v3.23.1/cmake-3.23.1-macos-universal.tar.gz"],
+    sha256 = "f794ed92ccb4e9b6619a77328f313497d7decf8fb7e047ba35a348b838e0e1e2",
 )
 
 http_archive(
diff --git a/build-system/AppleWWDRCAG3.cer b/build-system/AppleWWDRCAG3.cer
new file mode 100644
index 0000000000..32f96f81dd
Binary files /dev/null and b/build-system/AppleWWDRCAG3.cer differ
diff --git a/buildbox/build-telegram-next.sh b/buildbox/build-telegram-next.sh
new file mode 100644
index 0000000000..34a3971161
--- /dev/null
+++ b/buildbox/build-telegram-next.sh
@@ -0,0 +1,137 @@
+#!/bin/bash
+
+set -e
+
+MACOS_VERSION="12"
+XCODE_VERSION="13.2.1"
+GUEST_SHELL="bash"
+
+if [ -z "$VIRTUALBUILD_HOST" ]; then
+	echo "VIRTUALBUILD_HOST is not defined"
+	exit 1
+fi
+
+VM_BASE_NAME="macos$(echo $MACOS_VERSION | sed -e 's/\.'/_/g)-Xcode$(echo $XCODE_VERSION | sed -e 's/\.'/_/g)"
+echo "Base VM: \"$VM_BASE_NAME\""
+
+if [ -z "$BAZEL" ]; then
+	echo "BAZEL is not defined"
+	exit 1
+fi
+
+if [ ! -f "$BAZEL" ]; then
+	echo "bazel not found at $BAZEL"
+	exit 1
+fi
+
+BUILDBOX_DIR="buildbox"
+
+mkdir -p "$BUILDBOX_DIR/transient-data"
+
+rm -f "tools/bazel"
+cp "$BAZEL" "tools/bazel"
+
+BUILD_CONFIGURATION="$1"
+
+if [ "$BUILD_CONFIGURATION" == "hockeyapp" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental-2" ]; then
+	CODESIGNING_SUBPATH="$BUILDBOX_DIR/transient-data/telegram-codesigning/codesigning"
+elif [ "$BUILD_CONFIGURATION" == "appstore" ]; then
+	CODESIGNING_SUBPATH="$BUILDBOX_DIR/transient-data/telegram-codesigning/codesigning"
+elif [ "$BUILD_CONFIGURATION" == "verify" ]; then
+	CODESIGNING_SUBPATH="build-system/fake-codesigning"
+else
+	echo "Unknown configuration $1"
+	exit 1
+fi
+
+COMMIT_COMMENT="$(git log -1 --pretty=%B)"
+case "$COMMIT_COMMENT" in 
+  *"[nocache]"*)
+	export BAZEL_HTTP_CACHE_URL=""
+    ;;
+esac
+
+COMMIT_ID="$(git rev-parse HEAD)"
+COMMIT_AUTHOR=$(git log -1 --pretty=format:'%an')
+if [ -z "$2" ]; then
+	COMMIT_COUNT=$(git rev-list --count HEAD)
+	BUILD_NUMBER_OFFSET="$(cat build_number_offset)"
+	COMMIT_COUNT="$(($COMMIT_COUNT+$BUILD_NUMBER_OFFSET))"
+	BUILD_NUMBER="$COMMIT_COUNT"
+else
+	BUILD_NUMBER="$2"
+fi
+
+BASE_DIR=$(pwd)
+
+if [ "$BUILD_CONFIGURATION" == "hockeyapp" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental-2" ] || [ "$BUILD_CONFIGURATION" == "appstore" ]; then
+	if [ ! `which generate-configuration.sh` ]; then
+		echo "generate-configuration.sh not found in PATH $PATH"
+		exit 1
+	fi
+
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning"
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+
+	case "$BUILD_CONFIGURATION" in
+		"hockeyapp"|"appcenter-experimental"|"appcenter-experimental-2")
+			generate-configuration.sh internal release "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning" "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+			;;
+
+		"appstore")
+			generate-configuration.sh appstore release "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning" "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+			;;
+
+		*)
+			echo "Unknown build configuration $BUILD_CONFIGURATION"
+			exit 1
+			;;
+	esac
+elif [ "$BUILD_CONFIGURATION" == "verify" ]; then
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning"
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+
+	cp -R build-system/fake-codesigning/* "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning/"
+	cp -R build-system/example-configuration/* "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration/"
+fi
+
+if [ ! -d "$CODESIGNING_SUBPATH" ]; then
+	echo "$CODESIGNING_SUBPATH does not exist"
+	exit 1
+fi
+
+SOURCE_DIR=$(basename "$BASE_DIR")
+rm -f "$BUILDBOX_DIR/transient-data/source.tar"
+set -x
+find . -type f -a -not -regex "\\." -a -not -regex ".*\\./git" -a -not -regex ".*\\./git/.*" -a -not -regex "\\./bazel-bin" -a -not -regex "\\./bazel-bin/.*" -a -not -regex "\\./bazel-out" -a -not -regex "\\./bazel-out/.*" -a -not -regex "\\./bazel-testlogs" -a -not -regex "\\./bazel-testlogs/.*" -a -not -regex "\\./bazel-telegram-ios" -a -not -regex "\\./bazel-telegram-ios/.*" -a -not -regex "\\./buildbox" -a -not -regex "\\./buildbox/.*" -a -not -regex "\\./buck-out" -a -not -regex "\\./buck-out/.*" -a -not -regex "\\./\\.buckd" -a -not -regex "\\./\\.buckd/.*" -a -not -regex "\\./build" -a -not -regex "\\./build/.*" -print0 | tar cf "$BUILDBOX_DIR/transient-data/source.tar" --null -T -
+
+PROCESS_ID="$$"
+
+initialization_params="$VM_BASE_NAME"
+initialization_params="$initialization_params&watchpid=$PROCESS_ID"
+
+ssh_credentials=$(curl --fail --insecure "https://$VIRTUALBUILD_HOST/run-image?name=$initialization_params")
+
+ssh_username=$(echo "$ssh_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin)['sshCredentials']['username'])")
+ssh_host=$(echo "$ssh_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin)['sshCredentials']['host'])")
+ssh_privateKey=$(echo "$ssh_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin)['sshCredentials']['privateKey'])")
+
+ssh_privateKeyFile=$(mktemp)
+echo "$ssh_privateKey" | base64 --decode > "$ssh_privateKeyFile"
+
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr "$CODESIGNING_SUBPATH" $ssh_username@"$ssh_host":codesigning_data
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration" $ssh_username@"$ssh_host":telegram-configuration
+
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr "$BUILDBOX_DIR/guest-build-telegram.sh" "$BUILDBOX_DIR/transient-data/source.tar" $ssh_username@"$ssh_host":
+
+ssh -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $ssh_username@"$ssh_host" -o ServerAliveInterval=60 -t "export BUILD_NUMBER=\"$BUILD_NUMBER\"; export BAZEL_HTTP_CACHE_URL=\"$BAZEL_HTTP_CACHE_URL\"; $GUEST_SHELL -l guest-build-telegram.sh $BUILD_CONFIGURATION" || true
+
+OUTPUT_PATH="build/artifacts"
+rm -rf "$OUTPUT_PATH"
+mkdir -p "$OUTPUT_PATH"
+
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr $ssh_username@"$ssh_host":"telegram-ios/build/artifacts/*" "$OUTPUT_PATH/"
+
+if [ ! -f "$OUTPUT_PATH/Telegram.ipa" ]; then
+	exit 1
+fi
diff --git a/buildbox/guest-build-telegram.sh b/buildbox/guest-build-telegram.sh
index 07f65327d1..6d64d9016c 100644
--- a/buildbox/guest-build-telegram.sh
+++ b/buildbox/guest-build-telegram.sh
@@ -73,9 +73,12 @@ for f in "$CERTS_PATH"/*.p12; do
 done
 
 for f in "$CERTS_PATH"/*.cer; do
-	sudo security add-trusted-cert -d -r trustRoot -p codeSign -k "$MY_KEYCHAIN" "$f"
+	#sudo security add-trusted-cert -d -r trustRoot -p codeSign -k "$MY_KEYCHAIN" "$f"
+	security import "$f" -k "$MY_KEYCHAIN" -P "" -T /usr/bin/codesign -T /usr/bin/security
 done
 
+security import "build-system/AppleWWDRCAG3.cer" -k "$MY_KEYCHAIN" -P "" -T /usr/bin/codesign -T /usr/bin/security
+
 security set-key-partition-list -S apple-tool:,apple: -k "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
 
 if [ "$1" == "hockeyapp" ] || [ "$1" == "appcenter-experimental" ] || [ "$1" == "appcenter-experimental-2" ]; then
diff --git a/third-party/mozjpeg/BUILD b/third-party/mozjpeg/BUILD
index f71d702e7d..faeca31222 100644
--- a/third-party/mozjpeg/BUILD
+++ b/third-party/mozjpeg/BUILD
@@ -57,7 +57,7 @@ genrule(
 
     mkdir -p "$$BUILD_DIR/Public/mozjpeg"
 
-    PATH="$$PATH:$$CMAKE_DIR/cmake-3.19.2-macos-universal/CMake.app/Contents/bin" sh $$BUILD_DIR/build-mozjpeg-bazel.sh $$BUILD_ARCH "$$BUILD_DIR/mozjpeg" "$$BUILD_DIR"
+    PATH="$$PATH:$$CMAKE_DIR/cmake-3.23.1-macos-universal/CMake.app/Contents/bin" sh $$BUILD_DIR/build-mozjpeg-bazel.sh $$BUILD_ARCH "$$BUILD_DIR/mozjpeg" "$$BUILD_DIR"
     """ +
     "\n".join([
         "cp -f \"$$BUILD_DIR/mozjpeg/{}\" \"$(location Public/mozjpeg/{})\"".format(header, header) for header in headers
diff --git a/third-party/yasm/BUILD b/third-party/yasm/BUILD
index 3d1ee6a815..38efc12b07 100644
--- a/third-party/yasm/BUILD
+++ b/third-party/yasm/BUILD
@@ -23,7 +23,7 @@ set -x
     pushd "$$BUILD_DIR/yasm-1.3.0"
     mkdir build
     cd build
-    PATH="$$PATH:$$CMAKE_DIR/cmake-3.19.2-macos-universal/CMake.app/Contents/bin" cmake .. -DYASM_BUILD_TESTS=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF
+    PATH="$$PATH:$$CMAKE_DIR/cmake-3.23.1-macos-universal/CMake.app/Contents/bin" cmake .. -DYASM_BUILD_TESTS=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DPYTHON_EXECUTABLE="$$(which python3)"
     make -j $$core_count
     popd