diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 09883a8..9398bf3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,6 +24,21 @@ jobs:
         with:
           ref: ${{ env.RELEASE_TAG }}
 
+      - name: Prepare signing certificate
+        shell: pwsh
+        env:
+          CLOUDSQLCTL_SIGN_CERT_B64: ${{ secrets.CLOUDSQLCTL_SIGN_CERT_B64 }}
+          CLOUDSQLCTL_SIGN_PWD: ${{ secrets.CLOUDSQLCTL_SIGN_PWD }}
+        run: |
+          if (-not $env:CLOUDSQLCTL_SIGN_CERT_B64) {
+            Write-Host "Signing cert not provided; skipping signing setup."
+            exit 0
+          }
+          $certPath = Join-Path $env:RUNNER_TEMP "cloudsqlctl-signing.pfx"
+          [IO.File]::WriteAllBytes($certPath, [Convert]::FromBase64String($env:CLOUDSQLCTL_SIGN_CERT_B64))
+          "CLOUDSQLCTL_SIGN_CERT=$certPath" | Out-File -FilePath $env:GITHUB_ENV -Append
+          "CLOUDSQLCTL_SIGN_PWD=$env:CLOUDSQLCTL_SIGN_PWD" | Out-File -FilePath $env:GITHUB_ENV -Append
+
       - name: Use Node.js 22.x
         uses: actions/setup-node@v4
         with:
@@ -54,6 +69,13 @@ jobs:
       - name: Build Installer
         run: npm run installer
 
+      - name: Sign artifacts
+        if: ${{ env.CLOUDSQLCTL_SIGN_CERT != '' }}
+        shell: pwsh
+        run: |
+          powershell -ExecutionPolicy Bypass -File tools/sign-exe.ps1 -ExePath "bin/cloudsqlctl.exe"
+          powershell -ExecutionPolicy Bypass -File tools/sign-exe.ps1 -ExePath "dist/cloudsqlctl-setup.exe"
+
       - name: Generate Docs
         run: npm run docs:generate
 
diff --git a/docs/commands.md b/docs/commands.md
index fba815d..61021ba 100644
--- a/docs/commands.md
+++ b/docs/commands.md
@@ -1,6 +1,6 @@
 # Cloud SQL Proxy CLI Reference
 
-**Version:** 0.4.14
+**Version:** 0.4.15
 **Generated:** 2025-12-22
 
 ## Overview