diff --git a/package.json b/package.json
index 310f9cb0d..2cd1c3145 100644
--- a/package.json
+++ b/package.json
@@ -385,6 +385,7 @@
       "signingHashAlgorithms": [
         "sha256"
       ],
+      "sign": "./ts/scripts/sign-windows.js",
       "publisherName": "Signal Messenger, LLC",
       "icon": "build/icons/win/icon.ico",
       "publish": [
diff --git a/ts/scripts/sign-windows.ts b/ts/scripts/sign-windows.ts
new file mode 100644
index 000000000..0700916ed
--- /dev/null
+++ b/ts/scripts/sign-windows.ts
@@ -0,0 +1,31 @@
+// Copyright 2019 Signal Messenger, LLC
+// SPDX-License-Identifier: AGPL-3.0-only
+
+import { execSync } from 'child_process';
+
+import { realpath } from 'fs-extra';
+
+import type { CustomWindowsSignTaskConfiguration } from 'electron-builder';
+
+export async function sign(
+  configuration: CustomWindowsSignTaskConfiguration
+): Promise<void> {
+  // In CI, we remove certificate information from package.json to disable signing
+  if (!configuration.options.certificateSha1) {
+    return;
+  }
+
+  const scriptPath = process.env.SIGN_WINDOWS_SCRIPT;
+  if (!scriptPath) {
+    throw new Error(
+      'path to windows sign script must be provided in environment variable SIGN_WINDOWS_SCRIPT'
+    );
+  }
+
+  const target = realpath(configuration.path);
+
+  // The script will update the file in-place
+  execSync(`bash ${scriptPath} ${target}`, {
+    stdio: [null, process.stdout, process.stderr],
+  });
+}