diff --git a/.github/actions/sign-windows/action.yml b/.github/actions/sign-windows/action.yml
new file mode 100644
index 00000000..7cd7d7ce
--- /dev/null
+++ b/.github/actions/sign-windows/action.yml
@@ -0,0 +1,37 @@
+name: 'Sign Windows artifacts'
+description: 'Sign one or more Windows artifacts (.exe/.msi) with the Viam EV code-signing key in GCP KMS.'
+inputs:
+  files:
+    description: 'Glob pattern matching the files to sign (relative to the workspace).'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v3'
+      with:
+        token_format: 'access_token'
+        project_id: 'engineering-tools-310515'
+        workload_identity_provider: 'projects/385154741571/locations/global/workloadIdentityPools/ev-signing-id/providers/github-repos-viam-and-labs'
+        service_account: 'ev-code-signing@engineering-tools-310515.iam.gserviceaccount.com'
+    - id: 'secrets'
+      uses: 'google-github-actions/get-secretmanager-secrets@v3'
+      with:
+        secrets: |-
+          public_key:projects/385154741571/secrets/ev-code-signing-public-key
+    - name: Sign with jsign
+      shell: bash
+      run: |
+        curl -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/7.1/jsign-7.1.jar
+        echo "${{ steps.secrets.outputs.public_key }}" > cert.pem
+        for f in ${{ inputs.files }}; do
+          java -jar jsign.jar \
+            --name "Viam Agent" \
+            --storetype GOOGLECLOUD \
+            --keystore "projects/engineering-tools-310515/locations/global/keyRings/release_signing_key" \
+            --storepass "${{ steps.auth.outputs.access_token }}" \
+            --alias "ev-code-signing-key/cryptoKeyVersions/2" \
+            --certfile cert.pem \
+            --tsaurl http://timestamp.digicert.com \
+            "$f"
+        done
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
index 497b1987..cea59a83 100644
--- a/.github/workflows/workflow.yaml
+++ b/.github/workflows/workflow.yaml
@@ -110,34 +110,10 @@ jobs:
       run: echo "value=$(./dev-version.sh)" >> "$GITHUB_OUTPUT"
     - name: Build
       run: make all
-    - id: 'gcp-signing-auth'
-      uses: 'google-github-actions/auth@v3'
-      with:
-        token_format: 'access_token'
-        project_id: 'engineering-tools-310515'
-        workload_identity_provider: 'projects/385154741571/locations/global/workloadIdentityPools/ev-signing-id/providers/github-repos-viam-and-labs'
-        service_account: 'ev-code-signing@engineering-tools-310515.iam.gserviceaccount.com'
-    - id: 'gcp-signing-secrets'
-      uses: 'google-github-actions/get-secretmanager-secrets@v3'
-      with:
-        secrets: |-
-          public_key:projects/385154741571/secrets/ev-code-signing-public-key
     - name: Sign Windows binaries
-      run: |
-        curl -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/7.1/jsign-7.1.jar
-        echo "${{ steps.gcp-signing-secrets.outputs.public_key }}" > cert.pem
-        # Loop signs the versioned binary and (on releases) the viam-agent-stable-windows-x86_64 copy.
-        for f in bin/viam-agent-*-windows-x86_64; do
-          java -jar jsign.jar \
-            --name "Viam Agent" \
-            --storetype GOOGLECLOUD \
-            --keystore "projects/engineering-tools-310515/locations/global/keyRings/release_signing_key" \
-            --storepass "${{ steps.gcp-signing-auth.outputs.access_token }}" \
-            --alias "ev-code-signing-key/cryptoKeyVersions/2" \
-            --certfile cert.pem \
-            --tsaurl http://timestamp.digicert.com \
-            "$f"
-        done
+      uses: ./.github/actions/sign-windows
+      with:
+        files: 'bin/viam-agent-*-windows-x86_64'
     - name: Generate manifest
       run: make manifest
     - uses: actions/upload-artifact@v4
@@ -182,6 +158,11 @@ jobs:
     name: Build MSI
     runs-on: windows-2022
     needs: build
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    outputs:
+      pr_url: ${{ steps.pr_url.outputs.url }}
     steps:
     - uses: actions/checkout@v4
     - uses: actions/download-artifact@v4
@@ -195,6 +176,10 @@ jobs:
         dotnet tool restore
         dotnet build msi -c Release
         mv msi/bin/x64/Release/en-US/Package.msi "viam-agent-${{ needs.build.outputs.version }}-windows-x86_64.msi"
+    - name: Sign MSI
+      uses: ./.github/actions/sign-windows
+      with:
+        files: 'viam-agent-*-windows-x86_64.msi'
     - uses: actions/upload-artifact@v4
       with:
         name: viam-agent-msi
@@ -217,12 +202,21 @@ jobs:
       if: github.event_name == 'pull_request'
       shell: bash
       run: gsutil -h "Cache-Control:no-cache" cp viam-agent-*-windows-x86_64.msi "gs://packages.viam.com/apps/viam-agent/prerelease/pr-${{ github.event.pull_request.number }}/"
+    - name: Collect MSI PR dev release URL
+      id: pr_url
+      if: github.event_name == 'pull_request'
+      shell: bash
+      run: |
+        BASE="https://storage.googleapis.com/packages.viam.com/apps/viam-agent/prerelease/pr-${{ github.event.pull_request.number }}"
+        for f in viam-agent-*-windows-x86_64.msi; do
+          echo "url=- [\`$f\`](${BASE}/$f)" >> "$GITHUB_OUTPUT"
+        done
 
   pr-dev-release-comment:
     name: Post PR dev release URLs
     runs-on: ubuntu-latest
-    needs: build
-    if: github.event_name == 'pull_request'
+    needs: [build, msi]
+    if: always() && github.event_name == 'pull_request'
     permissions:
       pull-requests: write
     steps:
@@ -236,6 +230,7 @@ jobs:
 
           Built from `${{ github.event.pull_request.head.sha }}`.
 
-          ${{ needs.build.outputs.pr_urls }}
+          ${{ needs.build.result == 'success' && needs.build.outputs.pr_urls || '- Binary build failed — check workflow logs' }}
+          ${{ needs.msi.result == 'success' && needs.msi.outputs.pr_url || '- MSI build failed — check workflow logs' }}
 
           Remove the `dev-release` label to stop further dev release builds.