diff --git a/workflow-templates/build-app.tpl.yaml b/workflow-templates/build-app.tpl.yaml
index bfdd0bb55..35aa4049d 100644
--- a/workflow-templates/build-app.tpl.yaml
+++ b/workflow-templates/build-app.tpl.yaml
@@ -85,9 +85,14 @@ on:
     # branches:
     #   - production
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    environment: dbgate-app
 
     strategy:
       fail-fast: false
@@ -145,33 +150,65 @@ jobs:
         _if: _community
         if: matrix.os == 'ubuntu-22.04'
         uses: samuelmeuli/action-snapcraft@v1
-      - name: Publish
+
+      - name: Publish Windows
+        if: matrix.os == 'windows-2022'
         run: |
           <<cd_merged>>
           yarn run build:app
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }} # token for electron publish
 
-          WIN_CSC_LINK: ${{ secrets.WINCERT_2025 }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_2025_PASSWORD }}
-          # WIN_CSC_LINK: ${{ secrets.WINCERT_CERTIFICATE }}
-          # WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_PASSWORD }}
-
+      - name: Publish MacOS
+        if: matrix.os == 'macos-14'
+        run: |
+          <<cd_merged>>
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }} # token for electron publish
           CSC_LINK: ${{ secrets.APPLECERT_CERTIFICATE }}
           CSC_KEY_PASSWORD: ${{ secrets.APPLECERT_PASSWORD }}
-
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-
-          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
           APPLE_APP_SPECIFIC_PASSWORD: ${{secrets.APPLE_APP_SPECIFIC_PASSWORD}}
 
+      - name: Publish Linux
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+          <<cd_merged>>
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }} # token for electron publish
+          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
+
       - name: generatePadFile
         _if: _community_stable
         run: |
           yarn generatePadFile
 
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        if: matrix.os == 'windows-2022'
+        with:
+          client-id: ${{ secrets.AZURE_TC_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TC_TENANT_ID }}
+          allow-no-subscriptions: true
+
+      - name: Sign Windows artifacts with Azure Trusted Signing
+        uses: azure/trusted-signing-action@v0
+        if: matrix.os == 'windows-2022'
+        with:
+          endpoint: https://wus3.codesigning.azure.net/
+          trusted-signing-account-name: DbGate
+          certificate-profile-name: DbGate-Release
+
+          files-folder: app/dist
+          files-folder-filter: exe
+
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+
       - name: Copy artifacts
         run: |
           mkdir artifacts