diff --git a/.goreleaser.yml b/.goreleaser.yml
index a7b293d6e..6ef1ecc8b 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -39,8 +39,7 @@ builds:
     goarch: [386, amd64, arm64]
     hooks:
       post:
-        - cmd: >-
-            {{ if eq .Runtime.Goos "windows" }}pwsh .\script\sign.ps1{{ else }}./script/sign{{ end }} '{{ .Path }}'
+        - cmd: pwsh .\script\sign.ps1 '{{ .Path }}'
           output: true
     binary: bin/gh
     main: ./cmd/gh
diff --git a/docs/release-process-deep-dive.md b/docs/release-process-deep-dive.md
index ed9362d38..31f44f6ef 100644
--- a/docs/release-process-deep-dive.md
+++ b/docs/release-process-deep-dive.md
@@ -428,9 +428,6 @@ Breaking this command down:
  * `/dlib` points to the previously extracted DLL
  * `/dmdf` points to the previously created metadata file
 
-> [!WARNING]
-> The [`GoReleaser` signing hook](https://github.com/cli/cli/blob/756f4ec04abdc9fdbab3fef35b182c546ef1dd17/.goreleaser.yml#L43) can currently call `./script/sign` on a non-windows machine, but this is an artifact from pre-HSM that should be removed.
-
 ## <a id="release">[release](https://github.com/cli/cli/blob/756f4ec04abdc9fdbab3fef35b182c546ef1dd17/.github/workflows/deployment.yml#L250-L395)</a>
 
 <details>
diff --git a/script/sign b/script/sign
index 1630a06b5..f07a7d2d4 100755
--- a/script/sign
+++ b/script/sign
@@ -1,36 +1,12 @@
 #!/bin/bash
 # usage: script/sign <file>
 #
-# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool, and signs
-# Windows EXE and MSI files using osslsigncode.
+# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool
 #
 set -e
 
-sign_windows() {
-  if [ -z "$CERT_FILE" ]; then
-    echo "skipping Windows code-signing; CERT_FILE not set" >&2
-    return 0
-  fi
-
-  if [ ! -f "$CERT_FILE" ]; then
-    echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
-    return 1
-  fi
-
-  if [ -z "$CERT_PASSWORD" ]; then
-    echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
-    return 1
-  fi
-
-  osslsigncode sign -n "GitHub CLI" -t http://timestamp.digicert.com \
-    -pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
-    -in "$1" -out "$1"~
-
-  mv "$1"~ "$1"
-}
-
 sign_macos() {
-  if [ -z "$APPLE_DEVELOPER_ID" ]; then
+  if [[ -z "$APPLE_DEVELOPER_ID" ]]; then
     echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
     return 0
   fi
@@ -42,24 +18,17 @@ sign_macos() {
   fi
 }
 
-if [ $# -eq 0 ]; then
+if [[ $# -eq 0 ]]; then
   echo "usage: script/sign <file>" >&2
   exit 1
 fi
 
 platform="$(uname -s)"
+if [[ $platform != "Darwin" ]]; then
+  echo "error: must run on macOS; skipping codesigning/notarization" >&2
+  exit 1
+fi
 
 for input_file; do
-  case "$input_file" in
-  *.exe | *.msi )
-    sign_windows "$input_file"
-    ;;
-  * )
-    if [ "$platform" = "Darwin" ]; then
-      sign_macos "$input_file"
-    else
-      printf "warning: don't know how to sign %s on %s\n" "$1", "$platform" >&2
-    fi
-    ;;
-  esac
-done
\ No newline at end of file
+  sign_macos "$input_file"
+done