diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 13a7ac5..32895c9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,6 +27,53 @@ jobs:
     - name: Build windows executables
       shell: bash
       run: ./win_build.sh
+    - name: Upload windows executables
+      id: uploadBinaryArtifact
+      uses: actions/upload-artifact@v4.4.3
+      with:
+        name: dctools-executables
+        path: ./dist/DC-tools-for-Windows/*.exe
+    - name: Remove unsigned windows binaries
+      shell: bash
+      run: |
+        rm ./dist/DC-tools-for-Windows/*.exe
+    - name: Sign Windows executable
+      uses: signpath/github-action-submit-signing-request@v1
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: 'TODO'
+        project-slug: 'DC-tools-for-Windows'
+        signing-policy-slug: 'test-signing'
+        github-artifact-id: '${{steps.uploadBinaryArtifact.outputs.artifact-id}}'
+        wait-for-completion: true
+        output-artifact-directory: 'dist/DC-tools-for-Windows'
+        parameters: |
+          Version: "${{ env.RELEASE_VERSION }}"
+    - name: Create Windows installer
+      shell: bash
+      run: ./win_package.sh
+    - name: Upload windows installer
+      id: uploadInstallerArtifact
+      uses: actions/upload-artifact@v4.4.3
+      with:
+        name: dctools-installer
+        path: ./innosetup/Output/*.exe
+    - name: Remove unsigned windows installer
+      shell: bash
+      run: |
+        rm -rf ./innosetup/Output/*.exe
+    - name: Sign Windows installer
+      uses: signpath/github-action-submit-signing-request@v1
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: 'TODO'
+        project-slug: 'DC-tools-for-Windows'
+        signing-policy-slug: 'test-signing'
+        github-artifact-id: '${{steps.uploadBinaryArtifact.outputs.artifact-id}}'
+        wait-for-completion: true
+        output-artifact-directory: 'innosetup/Output'
+        parameters: |
+          Version: "${{ env.RELEASE_VERSION }}"
     - name: Release Assets
       uses: softprops/action-gh-release@v1
       with:
@@ -35,5 +82,8 @@ jobs:
         prerelease: false
         body: |
             ![](https://img.shields.io/github/downloads/DC-Analysis/DC-tools-for-Windows/${{ env.RELEASE_VERSION }}/total.svg)
+
+            This installer and the executables therein are signed: [Code Signing Policy](https://github.com/DC-analysis/DC-tools-for-Windows#code-signing-policy).
+
         files: |
           ./innosetup/Output/*.exe
diff --git a/win_build.sh b/win_build.sh
index 620424c..c7b6871 100755
--- a/win_build.sh
+++ b/win_build.sh
@@ -25,6 +25,3 @@ pip install -r requirements.txt
 
 # build executables
 pyinstaller pyinstaller/dc_tools.spec
-
-# build the installers
-ISCC.exe innosetup/dc_tools.iss
diff --git a/win_package.sh b/win_package.sh
new file mode 100755
index 0000000..5197a2f
--- /dev/null
+++ b/win_package.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# This only works if you have git, bash, InnoSetup and Python3 installed.
+# You should already have activated your environment before
+# running this script.
+set -e
+set -x
+
+cd $(dirname "$BASH_SOURCE[0]}")
+
+# package executables as installer
+ISCC.exe innosetup/dc_tools.iss