diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 5b435e9..e34f64d 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -118,11 +118,12 @@ jobs:
         name: extensions
         path: extensions/azuredevops/artifacts
 
-  publish-tools:
-    name: Publish
-    if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/master')) }}
+  sign:
+    name: Sign Package
+    if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) }}
     runs-on: windows-latest
     needs:
+      - build-extensions
       - build-tools
     steps:
       - name: Checkout
@@ -139,6 +140,79 @@ jobs:
         with:
           dotnet-version: '3.1.x'
 
+      - name: Setup SignClient
+        run: |
+          dotnet tool install --tool-path build SignClient
+
+      - name: SignClient
+        shell: pwsh
+        run: |
+          build\SignClient sign -i artifacts\*.nupkg -c build\SignClient.json -r "${{ secrets.UNO_PLATFORM_CODESIGN_USERNAME }}" -s "${{ secrets.UNO_PLATFORM_CODESIGN_SECRET }}" -n "Uno Nuget Tools" -d "Uno Nuget Tools" -u "https://github.com/unoplatform/nuget.updater"
+
+      - name: Upload Signed Artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: NuGet-Signed
+          path: .\artifacts
+
+  publish_nuget_dev:
+    name: Publish Dev
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    runs-on: windows-latest
+
+    needs:
+      - sign
+
+    steps:
+      - name: Download Artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: NuGet-Signed
+          path: artifacts
+
       - name: NuGet Push
+        shell: pwsh
+        run: |
+          dotnet nuget push artifacts\*.nupkg -s https://api.nuget.org/v3/index.json -k "${{ secrets.NUGET_ORG_API_KEY }}"
+
+  publish_nuget_prod:
+    name: Publish Production
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/') }}
+    runs-on: windows-latest
+    environment: 'Nuget Production'
+
+    needs:
+      - sign
+
+    steps:
+      - name: Download Artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: NuGet-Signed
+          path: artifacts
+
+      - name: NuGet Push
+        shell: pwsh
+        run: |
+          dotnet nuget push artifacts\*.nupkg -s https://api.nuget.org/v3/index.json -k "${{ secrets.NUGET_ORG_API_KEY }}"
+
+  publish_extensions_prod:
+    name: Publish Production
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/') }}
+    runs-on: windows-latest
+    environment: 'Extension Production'
+
+    needs:
+      - build-extensions
+
+    steps:
+      - name: Download Artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: NuGet-Signed
+          path: artifacts
+
+      - name: Publish to VS Marketplace
+        shell: pwsh
         run: |
-          dotnet nuget push artifacts\*.nupkg -s https://api.nuget.org/v3/index.json -k ${{ secrets.NUGET_ORG_API_KEY }}
+          echo publish
diff --git a/build/SignClient.json b/build/SignClient.json
new file mode 100644
index 0000000..560ac54
--- /dev/null
+++ b/build/SignClient.json
@@ -0,0 +1,13 @@
+{
+  "SignClient": {
+    "AzureAd": {
+      "AADInstance": "https://login.microsoftonline.com/",
+      "ClientId": "80441c68-7fd8-4866-8dd1-8c78ff585a8a",
+      "TenantId": "a297d6c0-b635-41a3-b1e3-558efe71e413"
+    },
+    "Service": {
+      "Url": "https://uno-signservice.azurewebsites.net",
+      "ResourceId": "https://SignService.platformuno.onmicrosoft.com/6dd8824b-6147-4b02-a1af-ea83b0ffebdb"
+    }
+  }
+}