diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 68ae472c5..75932d7fe 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,10 @@ name: Release
 on:
   workflow_dispatch
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
 
   # Adjusts the revision to the latest version, builds images for each OS type/architecture using matrix:os and uploads each binary as a separate artifact
@@ -55,12 +59,31 @@ jobs:
           wix extension add WixToolset.UI.wixext/5.0.2
           wix extension add WixToolset.Util.wixext/5.0.2
           wix build Package.wxs WixUI_IDEasySetup.wxs -loc Package.en-us.wxl -ext WixToolset.UI.wixext -ext WixToolset.Util.wixext -o ideasy.msi
+      - name: Upload unsigned MSI
+        if: runner.os == 'Windows'
+        id: upload-msi
+        uses: actions/upload-artifact@v4
+        with:
+          name: msi-unsigned
+          path: windows-installer/ideasy.msi
+      - name: Sign MSI
+        if: runner.os == 'Windows'
+        uses: signpath/github-action-submit-signing-request@v2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '428e13ed-ca0c-47ca-8a73-63b76cabb59b'
+          project-slug: 'IDEasy'
+          signing-policy-slug: 'test-signing'
+          artifact-configuration-slug: 'IDEasy'
+          github-artifact-id: '${{ steps.upload-msi.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'windows-installer/signed'
       - name: Upload MSI
         if: runner.os == 'Windows'
         uses: actions/upload-artifact@v4
         with:
           name: msi
-          path: windows-installer/ideasy.msi
+          path: windows-installer/signed/ideasy.msi
 
   # Downloads all native image artifacts to cli/target and builds the project using assemblies for final deployment to Maven Central.
   # The version number for the next build will be incremented automatically.