diff --git a/.goreleaser.yml b/.goreleaser.yml
index 45624cc9d..b5abae4a8 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -9,6 +9,7 @@ before:
   hooks:
     - go mod tidy
     - make manpages GH_VERSION={{.Version}}
+    - ./script/prepare-windows-cert.sh "{{.Env.GITHUB_CERT_PASSWORD}}" "{{.Env.DESKTOP_CERT_TOKEN}}"
 
 builds:
   - <<: &build_defaults
@@ -34,10 +35,7 @@ builds:
     goarch: [386, amd64]
     hooks:
       post:
-        - cmd: ./script/sign-windows-executable.sh {{ .Path }}
-          env:
-            - GITHUB_CERT_PASSWORD={{ .Env.GITHUB_CERT_PASSWORD }}
-            - DESKTOP_CERT_TOKEN={{ .Env.DESKTOP_CERT_TOKEN }}
+        - ./script/sign-windows-executable.sh {{ .Path }}
 
 archives:
   - id: nix
diff --git a/script/prepare-windows-cert.sh b/script/prepare-windows-cert.sh
new file mode 100755
index 000000000..579694ce8
--- /dev/null
+++ b/script/prepare-windows-cert.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+GITHUB_CERT_PASSWORD=$1
+DESKTOP_CERT_TOKEN=$2
+
+curl \
+  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
+  -H "Accept: application/vnd.github.v3.raw" \
+  --output windows-certificate.pfx \
+  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 1"
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 2"
\ No newline at end of file
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
index 68af9e5d8..77cf78ca8 100755
--- a/script/sign-windows-executable.sh
+++ b/script/sign-windows-executable.sh
@@ -3,14 +3,13 @@ set -e
 
 EXECUTABLE_PATH=$1
 
-curl \
-  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
-  -H "Accept: application/vnd.github.v3.raw" \
-  --output windows-certificate.pfx \
-  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+ARCH="386"
 
-openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
-openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
+if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
+  ARCH="amd64"
+fi
+
+OUT_PATH=gh_signed-${ARCH}.exe
 
 osslsigncode sign \
   -certs certificate.pem \
@@ -18,9 +17,6 @@ osslsigncode sign \
   -n "GitHub CLI" \
   -t http://timestamp.digicert.com \
   -in $EXECUTABLE_PATH \
-  -out gh_signed.exe
+  -out $OUT_PATH
 
-# Oddly, there can be a delay before the file is *actually* available - wait for it
-while [ ! -f gh_signed.exe ]; do sleep 1; done;
-
-mv gh_signed.exe $EXECUTABLE_PATH
+mv $OUT_PATH $EXECUTABLE_PATH
\ No newline at end of file