diff --git a/electron-builder.yml b/electron-builder.yml
index b0d163009f..294335c36a 100644
--- a/electron-builder.yml
+++ b/electron-builder.yml
@@ -45,6 +45,8 @@ win:
   target:
     - target: nsis
     - target: portable
+  signtoolOptions:
+    sign: scripts/win-sign.js
 nsis:
   artifactName: ${productName}-${version}-${arch}-setup.${ext}
   shortcutName: ${productName}
diff --git a/scripts/win-sign.js b/scripts/win-sign.js
new file mode 100644
index 0000000000..f9b37c3aed
--- /dev/null
+++ b/scripts/win-sign.js
@@ -0,0 +1,19 @@
+const { execSync } = require('child_process')
+
+exports.default = async function (configuration) {
+  if (process.env.WIN_SIGN) {
+    const { path } = configuration
+    if (configuration.path) {
+      try {
+        console.log('Start code signing...')
+        console.log('Signing file:', path)
+        const signCommand = `signtool sign /tr http://timestamp.comodoca.com /td sha256 /fd sha256 /a /v "${path}"`
+        execSync(signCommand, { stdio: 'inherit' })
+        console.log('Code signing completed')
+      } catch (error) {
+        console.error('Code signing failed:', error)
+        throw error
+      }
+    }
+  }
+}