diff --git a/Makefile b/Makefile
index db5e50869b9ce9334d82d528accf5a0784da6970..90b0b1eb930e35e16821fefd901955862a44b903 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ APPNAME ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam appname
 TARGET ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam binname | tail -n 1)
 PROVIDER ?= $(shell grep ^'provider =' ${VENDOR_PATH}/vendor.conf | cut -d '=' -f 2 | tr -d "[:space:]")
 VERSION ?= $(shell git describe)
+WINCERTPASS ?= pass
 
 # go paths
 GOPATH = $(shell go env GOPATH)
@@ -89,6 +90,9 @@ lib/%.a: $(PKGFILES)
 	@XBUILD=no ./gui/build.sh --just-golib
 
 relink_vendor:
+ifeq ($(PLATFORM), windows)
+	rm -rf providers/assets
+endif
 ifeq ($(VENDOR_PATH), providers)
 	@unlink providers/assets || true
 	@ln -s ${PROVIDER}/assets providers/assets
@@ -110,7 +114,30 @@ build_helper:
 build_openvpn:
 	@[ -f $(OPENVPN_BIN) ] && echo "OpenVPN already built at" $(OPENVPN_BIN) || ./branding/thirdparty/openvpn/build_openvpn.sh
 
-installer: check_qtifw build_openvpn build
+dosign:
+ifeq (${PLATFORM}, windows)
+	"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-file-version ${VERSION}
+	"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-product-version ${VERSION}
+	"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string CompanyName "LEAP Encryption Access Project"
+	"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string FileDescription "VPN Application provided by ${PROVIDER}"
+	"c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} ${QTBUILD}/release/${TARGET}.exe
+	cp build/bin/${PLATFORM}/bitmask-helper build/bin/${PLATFORM}/bitmask-helper.exe
+	"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-file-version ${VERSION}
+	"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-product-version ${VERSION}
+	"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string ProductName "bitmask-helper-v2"
+	"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string CompanyName "LEAP Encryption Access Project"
+	"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string FileDescription "Administrative helper for ${TARGET}"
+	"c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/bin/${PLATFORM}/bitmask-helper.exe
+endif
+
+checksign:
+ifeq (${PLATFORM}, windows)
+	@"c:\windows\system32\sigcheck.exe" ${QTBUILD}/release/${TARGET}.exe
+	@"c:\windows\system32\sigcheck.exe" build/bin/${PLATFORM}/bitmask-helper.exe
+	@"c:\windows\system32\sigcheck.exe" "/c/Program Files/OpenVPN/bin/openvpn.exe"
+endif
+
+installer: check_qtifw checksign
 	@mkdir -p ${INST_DATA}
 	@cp -r ${TEMPLATES}/qtinstaller/packages ${INSTALLER}
 	@cp -r ${TEMPLATES}/qtinstaller/installer.pro ${INSTALLER}
@@ -132,7 +159,7 @@ ifeq (${PLATFORM}, darwin)
 endif
 ifeq (${PLATFORM}, windows)
 	@VERSION=${VERSION} VENDOR_PATH=${VENDOR_PATH} ${SCRIPTS}/gen-qtinstaller windows ${INSTALLER}
-	@cp build/bin/${PLATFORM}/bitmask-helper ${INST_DATA}helper.exe
+	@cp build/bin/${PLATFORM}/bitmask-helper.exe ${INST_DATA}helper.exe
 ifeq (${VENDOR_PATH}, providers)
 	@cp ${VENDOR_PATH}/${PROVIDER}/assets/icon.ico ${INST_DATA}/icon.ico
 else
@@ -142,8 +169,8 @@ endif
 	# FIXME get the signed binaries with curl from openvpn downloads page - see if we have to adapt the openvpn-build to install tap drivers etc from our installer.
 	@cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA}
 	@cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA}
-	# FIXME add sign options
 	@windeployqt --qmldir gui/qml ${INST_DATA}${TARGET}.exe
+	#@windeployqt --release --qmldir gui/qml ${INST_DATA}${TARGET}.exe
 	# TODO stage it to shave some time
 	@wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe
 endif
@@ -154,6 +181,12 @@ endif
 	@echo "[+] Now building the installer."
 	@cd build/installer && qmake VENDOR_PATH=${VENDOR_PATH} INSTALLER=${APPNAME}-installer-${VERSION} && make
 
+sign_installer:
+ifeq (${PLATFORM}, windows)
+	# TODO add flag to skip signing for regular builds
+	"c:\windows\system32\signtool.exe" sign -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/installer/${APPNAME}-installer-${VERSION}.exe
+endif
+
 check_qtifw: 
 ifdef HAS_QTIFW
 	@echo "[+] Found QTIFW"
diff --git a/branding/templates/windows/sign.py b/branding/templates/windows/sign.py
deleted file mode 100644
index 53b89a8e56d01279fc57142938b3888874f41938..0000000000000000000000000000000000000000
--- a/branding/templates/windows/sign.py
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env python3
-"""
-This script is expected to be called from the main makefile, that should pass
-the content of the WIN_CERT_PASS variable as the second argument.
-"""
-import subprocess
-import os
-import sys
-
-WIN_CERT_PATH = sys.argv[1]
-WIN_CERT_PASS = sys.argv[2]
-SIGNTOOL = "signtool"
-
-VERSION = subprocess.run(
-    'git describe --tags',
-    stdout=subprocess.PIPE).stdout.strip()
-
-installer = "RiseupVPN-" + str(VERSION, 'utf-8') + '.exe'
-target = str(os.path.join(os.path.abspath('.'), 'dist', installer))
-cmd = [SIGNTOOL, "sign", "/f", WIN_CERT_PATH, "/p", WIN_CERT_PASS, target]
-subprocess.run(cmd)
diff --git a/docs/build.windows.rst b/docs/build.windows.rst
index 27edcbce638b03f886aad89e0191a8e93294603d..87431265fe04156805f5b4be85c80a6dac43c6d9 100644
--- a/docs/build.windows.rst
+++ b/docs/build.windows.rst
@@ -15,3 +15,36 @@ Assuming you have the vendor path in place and correctly configured, all you nee
   export PATH="/c/Qt/Qt5/bin/":"/c/Qt/QtIFW-3.2.2/bin":$PATH
   export VENDOR_PATH=providers
   make vendor && make installer
+
+
+checking signatures
+-------------------
+we should be signing all binaries on a release build.
+
+to check the binaries have proper signatures, you can use the sigcheck
+utilities, part of the sysinternals suite:
+
+https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
+
+unzip and place sigcheck.exe somewhere in your path.
+
+make sure to pass -accepteula parameter on some manual run so that it does not
+ask again.
+
+adding metadata to binaries
+---------------------------
+TODO: add metadata properly
+https://github.com/electron/rcedit/releases/tag/v1.1.1
+https://stackoverflow.com/questions/284258/how-do-i-set-the-version-information-for-an-existing-exe-dll
+
+the steps to do release signatures are::
+
+  make build
+  make dosign
+  make installer
+  make sign_installer
+
+
+unreviewed notes
+----------------
+see comment about patching dlls and windeployqt not being needed anymore https://stackoverflow.com/a/61910592