diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 75831c56..6a3a33a5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -340,31 +340,26 @@ jobs:
     - name: Build and sign packages
       shell: powershell
       run: |
-        echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | % {[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_))} > $env:CERT_TEMP_PATH
+        echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | % {[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_))} > $env:SM_CLIENT_CERT_FILE
         smksp_registrar.exe list
         smctl.exe healthcheck
         smctl.exe keypair ls
-        smctl windows certsync --keypair-alias ${{ secrets.SM_KEYPAIR_ALIAS }}
+        smctl windows certsync --keypair-alias $env:SM_KEYPAIR_ALIAS
         smctl.exe certificate ls
         C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
 
         # not used but necessary for electron-builder to run
-        $env:WIN_CSC_LINK=$env:CERT_TEMP_PATH
+        $env:WIN_CSC_LINK=$env:SM_CLIENT_CERT_FILE
         $env:WIN_CSC_KEY_PASSWORD=$env:SM_CLIENT_CERT_PASSWORD
         node scripts/build-windows.mjs
       if: github.repository == 'Eugeny/tabby' && github.event_name == 'push' && (github.ref_protected || startsWith(github.ref, 'refs/tags'))
       env:
         ARCH: ${{matrix.arch}}
-        CERT_TEMP_PATH: Certificate_pkcs12.p12
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         KEYGEN_TOKEN: ${{ secrets.KEYGEN_TOKEN }}
-        SM_API_KEY: ${{ secrets.SM_API_KEY }}
-        SM_HOST: ${{ secrets.SM_HOST }}
         SM_CLIENT_CERT_FILE: Certificate_pkcs12.p12
         SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
-        SM_KEYPAIR_ALIAS: ${{ secrets.SM_KEYPAIR_ALIAS }}
         SM_PUBLISHER_NAME: ${{ secrets.SM_PUBLISHER_NAME }}
-        SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
         DEBUG: electron-builder,electron-builder:*
 
     - name: Build packages without signing
diff --git a/scripts/build-windows.mjs b/scripts/build-windows.mjs
index 4a1ee649..664ecfdd 100755
--- a/scripts/build-windows.mjs
+++ b/scripts/build-windows.mjs
@@ -36,13 +36,12 @@ builder({
                 if (configuration.path) {
                     try {
                         const out = execSync(
-                            `smctl sign --keypair-alias=${keypair} --input "${String(configuration.path)}"`, {
-                                stdio: 'inherit'
-                            }
+                            `smctl sign --keypair-alias=${keypair} --input "${String(configuration.path)}"`
                         )
                         if (out.toString().includes('FAILED')) {
                             throw new Error(out.toString())
                         }
+                        console.log(out)
                     } catch (e) {
                         console.error(`Failed to sign ${configuration.path}`)
                         console.error(e)