diff --git a/.github/workflows/windows.release.yml b/.github/workflows/desktop.windows.release.yml
similarity index 90%
rename from .github/workflows/windows.release.yml
rename to .github/workflows/desktop.windows.release.yml
index f68932fc5..bd5229ef7 100644
--- a/.github/workflows/windows.release.yml
+++ b/.github/workflows/desktop.windows.release.yml
@@ -6,6 +6,10 @@ on:
 jobs:
   Windows:
     runs-on: self-hosted
+    env:
+      WINDOWS_TOKEN_ALIAS: ${{ secrets.WINDOWS_TOKEN_ALIAS }}
+      WINDOWS_TOKEN_PASSWORD: ${{ secrets.WINDOWS_TOKEN_PASSWORD }}
+
     defaults:
       run:
         working-directory: packages/desktop
diff --git a/packages/desktop/jsign/eToken.cfg b/packages/desktop/jsign/eToken.cfg
new file mode 100644
index 000000000..595fa06c6
--- /dev/null
+++ b/packages/desktop/jsign/eToken.cfg
@@ -0,0 +1,3 @@
+name = HardwareToken
+library = /Library/Frameworks/eToken.framework/Versions/A/libeToken.dylib
+slotListIndex = 0
\ No newline at end of file
diff --git a/packages/desktop/jsign/jsign-4.1.jar b/packages/desktop/jsign/jsign-4.1.jar
new file mode 100644
index 000000000..8c711e469
Binary files /dev/null and b/packages/desktop/jsign/jsign-4.1.jar differ
diff --git a/packages/desktop/package.json b/packages/desktop/package.json
index 7e71ada71..f430bf21a 100644
--- a/packages/desktop/package.json
+++ b/packages/desktop/package.json
@@ -113,7 +113,8 @@
     "win": {
       "certificateSubjectName": "Standard Notes Ltd.",
       "publisherName": "Standard Notes Ltd.",
-      "signDlls": true
+      "signDlls": true,
+      "sign": "scripts/windowsSign.js"
     },
     "nsis": {
       "deleteAppDataOnUninstall": true
diff --git a/packages/desktop/scripts/windowsSign.js b/packages/desktop/scripts/windowsSign.js
new file mode 100644
index 000000000..f20114dcf
--- /dev/null
+++ b/packages/desktop/scripts/windowsSign.js
@@ -0,0 +1,16 @@
+exports.default = async function (configuration) {
+  require('child_process').execSync(
+    `java \
+    -jar jsign/jsign-4.1.jar \
+    --keystore jsign/eToken.cfg \
+    --storepass "${process.env.WINDOWS_TOKEN_PASSWORD}" \
+    --storetype PKCS11 \
+    --tsaurl http://timestamp.digicert.com \
+    --alias "${process.env.WINDOWS_TOKEN_ALIAS}" \
+    "${configuration.path}"
+    `,
+    {
+      stdio: 'inherit',
+    },
+  )
+}