diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml
index 2a9411993..c77c0cbff 100644
--- a/.github/workflows/artifacts.yml
+++ b/.github/workflows/artifacts.yml
@@ -246,7 +246,7 @@ jobs:
 
   package_and_upload_windows:
     name: Package & Upload Windows
-    runs-on: ubuntu-latest
+    runs-on: windows-latest
     needs: build_dotnet_windows
     steps:
       - name: Download dotnet artifacts
@@ -255,6 +255,21 @@ jobs:
           name: dotnet-windows-build
           path: dotnet-build
 
+      - name: Sign dotnet artifacts
+        uses: azure/trusted-signing-action@v0
+        with:
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: ArtifactSigning
+          certificate-profile-name: ErsatzTV
+          files-folder: ${{ github.workspace }}/dotnet-build
+          files-folder-filter: main/ErsatzTV.exe,scanner/ErsatzTV.Scanner.exe
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+
       - name: Download rust launcher
         uses: suisei-cn/actions-download-file@v1.3.0
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index fde107bec..27bb34fe3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
+### Fixed
+- Use code signing on all Windows executables (`ErsatzTV-Windows.exe`, `ErsatzTV.exe`, `ErsatzTV.Scanner.exe`)
 
 ## [26.1.1] - 2026-01-08
 ### Fixed