diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 91f505f..c640dc8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,3 +40,12 @@ jobs:
           # GitHub sets the GITHUB_TOKEN secret automatically.
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          SP_CI_USER_TOKEN: ${{ secrets.SP_CI_USER_TOKEN }}
+          SP_ORGANIZATION_ID: ${{ secrets.SP_ORGANIZATION_ID }}
+          SP_PROJECT: ${{ secrets.SP_PROJECT }}
+
+          SWO_ISSUER_ID: ${{ secrets.SWO_ISSUER_ID }}
+          SWO_KEY_ID: ${{ secrets.SWO_KEY_ID }}
+          SWO_MAC_P8_FILE: ${{ secrets.SWO_MAC_P8_FILE }}
+          SWO_MAC_P12_CERT: ${{ secrets.SWO_MAC_P12_CERT }}
+          SWO_P12_PASSWORD: ${{ secrets.SWO_P12_PASSWORD }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index a4892cd..59f8526 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -4,8 +4,10 @@ before:
   hooks:
     # this is just an example and not a requirement for provider building/publishing
     - go mod tidy
+
 builds:
-- env:
+- id: linux
+  env:
     # goreleaser does not work with CGO, it could also complicate
     # usage by users in CI/CD systems like Terraform Cloud where
     # they are unable to install libraries.
@@ -17,7 +19,6 @@ builds:
     - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'
   goos:
     - freebsd
-    - windows
     - linux
     - darwin
   goarch:
@@ -29,15 +30,35 @@ builds:
     - goos: darwin
       goarch: '386'
   binary: '{{ .ProjectName }}_v{{ .Version }}'
+- id: windows
+  env:
+    # goreleaser does not work with CGO, it could also complicate
+    # usage by users in CI/CD systems like Terraform Cloud where
+    # they are unable to install libraries.
+    - CGO_ENABLED=0
+  ldflags:
+    - "-s -w -X 'main.version=v{{ .Version }}'"
+  targets:
+    - windows_amd64
+  hooks:
+    post:
+      - env:
+          - SP_SIGNING_POLICY=Release
+          - SP_ARTIFACT_CONFIGURATION=exe
+        cmd: pwsh -c "Submit-SigningRequest -ApiToken "$env:SP_CI_USER_TOKEN" -OrganizationId "$env:SP_ORGANIZATION_ID" -ProjectSlug "$env:SP_PROJECT" -SigningPolicySlug "$env:SP_SIGNING_POLICY" -ArtifactConfigurationSlug "$env:SP_ARTIFACT_CONFIGURATION" -InputArtifactPath '{{ .Path }}' -OutputArtifactPath '{{ .Path }}' -Force -WaitForCompletion"
+        output: true
+
 archives:
 - format: zip
   name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+
 checksum:
   extra_files:
     - glob: 'terraform-registry-manifest.json'
       name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
   algorithm: sha256
+
 signs:
   - artifacts: checksum
     args:
@@ -50,9 +71,26 @@ signs:
       - "${signature}"
       - "--detach-sign"
       - "${artifact}"
+
 release:
   extra_files:
     - glob: 'terraform-registry-manifest.json'
       name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   # If you want to manually examine the release before its live, uncomment this line:
   # draft: true
+
+notarize:
+  macos:
+    - enabled: '{{ isEnvSet "SWO_MAC_P12_CERT" }}'
+      ids:
+        - mac
+      sign:
+        certificate: "{{.Env.SWO_MAC_P12_CERT}}"
+        password: "{{.Env.SWO_P12_PASSWORD}}"
+
+      notarize:
+        issuer_id: "{{.Env.SWO_ISSUER_ID}}"
+        key_id: "{{.Env.SWO_KEY_ID}}"
+        key: "{{.Env.SWO_MAC_P8_FILE}}"
+        wait: true
+        timeout: 20m
\ No newline at end of file