diff --git a/.github/workflows/macOS-arm64-selfhosted-publish-nightly.yml b/.github/workflows/macOS-arm64-selfhosted-publish-nightly.yml
index 68b1f918f..9187e0675 100644
--- a/.github/workflows/macOS-arm64-selfhosted-publish-nightly.yml
+++ b/.github/workflows/macOS-arm64-selfhosted-publish-nightly.yml
@@ -100,6 +100,16 @@ jobs:
       shell: bash
       run: |
         cat docs/publishing_assets/README.txt docs/publishing_assets/qsv-${{ matrix.job.target }}.txt > qsv-${{ needs.analyze-tags.outputs.previous-tag }}/README
+    - name: install zipsign
+      run: |
+        cargo install zipsign
+    - name: Fetch zipsign private key
+      uses: mobiledevops/secret-to-file-action@v1
+      with:
+        base64-encoded-secret: ${{ secrets.QSV_ZIPSIGN_PRIV_KEY }}
+        filename: "qsvpriv.key"
+        is-executable: false
+        working-directory: "."
     - name: Download latest release zip
       uses: robinraju/release-downloader@v1.8
       with:
@@ -107,8 +117,14 @@ jobs:
         latest: true
         token: ${{ secrets.GITHUB_TOKEN }}
         fileName: qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip
+    - name: remove zipsign signature from zip archive
+      run: |
+        zipsign unsign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip
     - name: add/update nightly files to zip
       run: 7zz u -tzip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip ./qsv-${{ needs.analyze-tags.outputs.previous-tag }}/* -mx=9 -mmt=on
+    - name: re-zipsign zip archive
+      run: |
+        zipsign sign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip qsvpriv.key
     - name: Upload zipped binaries to release
       uses: svenstaro/upload-release-action@v2
       with: