diff --git a/rust/hgcli/pyoxidizer.bzl b/rust/hgcli/pyoxidizer.bzl
--- a/rust/hgcli/pyoxidizer.bzl
+++ b/rust/hgcli/pyoxidizer.bzl
@@ -8,12 +8,29 @@
 #
 # EXTRA_MSI_FEATURES
 #   ; delimited string of extra features to advertise in the built MSA.
+#
+# SIGNING_PFX_PATH
+#   Path to code signing certificate to use.
+#
+# SIGNING_PFX_PASSWORD
+#   Password to code signing PFX file defined by SIGNING_PFX_PATH.
+#
+# SIGNING_SUBJECT_NAME
+#   String fragment in code signing certificate subject name used to find
+#   code signing certificate in Windows certificate store.
+#
+# TIME_STAMP_SERVER_URL
+#   URL of time-stamp token authority (RFC 3161) servers to stamp code signatures.
 
 ROOT = CWD + "/../.."
 
 VERSION = VARS.get("VERSION", "5.8")
 MSI_NAME = VARS.get("MSI_NAME", "mercurial")
 EXTRA_MSI_FEATURES = VARS.get("EXTRA_MSI_FEATURES")
+SIGNING_PFX_PATH = VARS.get("SIGNING_PFX_PATH")
+SIGNING_PFX_PASSWORD = VARS.get("SIGNING_PFX_PASSWORD", "")
+SIGNING_SUBJECT_NAME = VARS.get("SIGNING_SUBJECT_NAME")
+TIME_STAMP_SERVER_URL = VARS.get("TIME_STAMP_SERVER_URL", "http://timestamp.digicert.com")
 
 IS_WINDOWS = "windows" in BUILD_TARGET_TRIPLE
 
@@ -230,6 +247,24 @@
     return wix
 
 
+def register_code_signers():
+    if not IS_WINDOWS:
+        return
+
+    if SIGNING_PFX_PATH:
+        signer = code_signer_from_pfx_file(SIGNING_PFX_PATH, SIGNING_PFX_PASSWORD)
+    elif SIGNING_SUBJECT_NAME:
+        signer = code_signer_from_windows_store_subject(SIGNING_SUBJECT_NAME)
+    else:
+        signer = None
+
+    if signer:
+        signer.set_time_stamp_server(TIME_STAMP_SERVER_URL)
+        signer.activate()
+
+
+register_code_signers()
+
 register_target("distribution", make_distribution)
 register_target("exe", make_exe, depends = ["distribution"])
 register_target("app", make_manifest, depends = ["distribution", "exe"], default = True)