diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index c8796be90..18846cbec 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -49,14 +49,16 @@ jobs:
         with:
           exe: ${{ steps.download_exe.outputs.exe }}
       - name: Obtain signing cert
+        id: obtain_cert
         env:
           DESKTOP_CERT_TOKEN: ${{ secrets.DESKTOP_CERT_TOKEN }}
-        run: .\setup-windows-certificate.ps1
-        shell: powershell
+        run: .\script\setup-windows-certificate.ps1
       - name: Sign MSI
         env:
           GITHUB_CERT_PASSWORD: ${{ secrets.GITHUB_CERT_PASSWORD }}
-        run: .\sign.ps1 -Certificate "windows-certificate.pfx" -Executable "${{ steps.buildmsi.outputs.msi }}"
+        run: |
+          .\script\sign.ps1 -Certificate "${{ steps.obtain_cert.outputs.cert-file }}" `
+            -Executable "${{ steps.buildmsi.outputs.msi }}"
       - name: Upload MSI
         uses: ./.github/actions/upload-msi
         env:
diff --git a/setup-windows-certificate.ps1 b/script/setup-windows-certificate.ps1
similarity index 74%
rename from setup-windows-certificate.ps1
rename to script/setup-windows-certificate.ps1
index 4634c281b..9238fe67b 100644
--- a/setup-windows-certificate.ps1
+++ b/script/setup-windows-certificate.ps1
@@ -1,4 +1,5 @@
 $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
+$certFile = "$scriptPath\windows-certificate.pfx"
 
 $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
 $headers.Add("Authorization", "token $env:DESKTOP_CERT_TOKEN")
@@ -6,4 +7,6 @@ $headers.Add("Accept", 'application/vnd.github.v3.raw')
 
 Invoke-WebRequest 'https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx' `
               -Headers $headers `
-              -OutFile "$scriptPath\windows-certificate.pfx"
+              -OutFile "$certFile"
+
+Write-Output "::set-output name=cert-file::$certFile"
diff --git a/sign.ps1 b/script/sign.ps1
similarity index 56%
rename from sign.ps1
rename to script/sign.ps1
index 9eb00ed50..ec724f7bd 100644
--- a/sign.ps1
+++ b/script/sign.ps1
@@ -10,4 +10,8 @@ $thumbprint = "fb713a60a7fa79dfc03cb301ca05d4e8c1bdd431"
 $passwd = $env:GITHUB_CERT_PASSWORD
 $ProgramName = "GitHub CLI"
 
-& .\signtool.exe sign /d $ProgramName /f $Certificate /p $passwd /sha1 $thumbprint /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $Executable
+$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
+
+& $scriptPath\signtool.exe sign /d $ProgramName /f $Certificate /p $passwd `
+    /sha1 $thumbprint /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v `
+    $Executable
diff --git a/signtool.exe b/script/signtool.exe
similarity index 100%
rename from signtool.exe
rename to script/signtool.exe