diff --git a/orbit/tools/build/fleetdm.pfx b/orbit/tools/build/fleetdm.pfx
new file mode 100644
index 0000000000..fa03ea1d33
Binary files /dev/null and b/orbit/tools/build/fleetdm.pfx differ
diff --git a/orbit/tools/build/sign-windows.sh b/orbit/tools/build/sign-windows.sh
new file mode 100755
index 0000000000..d0c46d925c
--- /dev/null
+++ b/orbit/tools/build/sign-windows.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+input_file=$1
+
+if [ ! -f "$input_file" ]
+then
+    echo 'First argument must be path to binary'
+    exit 1
+fi
+
+# Skip if not a windows PE executable
+if ! ( file "$input_file" | grep -q PE )
+then
+    echo 'Skip windows signing'
+    exit 0
+fi
+
+if ! command -v osslsigncode >/dev/null 2>&1 ; then
+    echo "Osslsigncode utility is not present. Binary cannot be signed."
+    exit 1
+fi
+
+work_file="${input_file}_old"
+
+mv "$input_file" "$work_file"
+
+osslsigncode sign -pkcs12 "./orbit/tools/build/fleetdm.pfx" -pass "fleetdm" -n "Fleet Osquery" -i "https://www.fleetdm.com" -t "http://timestamp.comodoca.com/authenticode" -in "$work_file" -out "$input_file"
+
+retVal=$?
+if [ $retVal -ne 0 ]; then
+    echo "There was an error when signing."
+else
+    echo "Binary $input_file was successfully signed."
+    rm $work_file
+fi
+exit $retVal
\ No newline at end of file