diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml
index 3080ece9a69..ce6c69efa9a 100644
--- a/.github/workflows/all.yml
+++ b/.github/workflows/all.yml
@@ -307,6 +307,14 @@ jobs:
           Expand-Archive -Path ".\dist\k6-$env:VERSION-win64.zip" -DestinationPath .\packaging\
           move .\packaging\k6-$env:VERSION-win64\k6.exe .\packaging\
           rmdir .\packaging\k6-$env:VERSION-win64\
+      - name: Add signtool to PATH
+        run: echo "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+      - name: Convert base64 certificate to PFX
+        run: |
+          $bytes = [Convert]::FromBase64String("${{ secrets.WIN_SIGN_CERT }}")
+          [IO.File]::WriteAllBytes("k6.pfx", $bytes)
+      - name: Sign Windows binary
+        run: signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.exe"
       - name: Create MSI package
         run: |
           $env:VERSION = $env:VERSION -replace 'v(\d+\.\d+\.\d+).*','$1'
@@ -314,6 +322,10 @@ jobs:
           cd .\packaging
           candle.exe -arch x64 "-dVERSION=$env:VERSION" k6.wxs
           light.exe -ext WixUIExtension k6.wixobj
+      - name: Sign MSI package
+        run: signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.msi"
+      - name: Cleanup signing artifacts
+        run: del k6.pfx
       - name: Prepare Chocolatey package
         run: |
           $env:VERSION = $env:VERSION.TrimStart("v", " ")