diff --git a/Gruntfile.js b/Gruntfile.js
index 7edacc07..ccf1066b 100644
--- a/Gruntfile.js
+++ b/Gruntfile.js
@@ -475,12 +475,14 @@ module.exports = function(grunt) {
         'sign-exe': {
             'win-installer': {
                 options: {
-                    file: 'tmp/desktop/win-ia32/KeeWeb Setup ' + pkg.version + '-ia32.exe',
+                    file: 'dist/desktop/KeeWeb.win.x64.exe',
                     spc: 'keys/code-sign-win32.spc',
                     pvk: 'keys/code-sign-win32.pvk',
                     algo: 'sha1',
                     name: 'KeeWeb Setup',
-                    url: pkg.homepage
+                    url: pkg.homepage,
+                    keytarPasswordService: 'code-sign-win32-keeweb',
+                    keytarPasswordAccount: 'code-sign-win32-keeweb'
                 }
             }
         },
diff --git a/grunt/tasks/grunt-sign-exe.js b/grunt/tasks/grunt-sign-exe.js
index b705f08e..04429350 100644
--- a/grunt/tasks/grunt-sign-exe.js
+++ b/grunt/tasks/grunt-sign-exe.js
@@ -4,9 +4,14 @@
 
 module.exports = function (grunt) {
     grunt.registerMultiTask('sign-exe', 'Signs exe file with authenticode certificate', function () {
+        const keytar = require('keytar');
         const opt = this.options();
         const done = this.async();
-        grunt.util.spawn({
+        const password = keytar.getPassword(opt.keytarPasswordService, opt.keytarPasswordAccount);
+        if (!password) {
+            return grunt.warn('Code sign password not found');
+        }
+        let spawned = grunt.util.spawn({
             cmd: 'signcode',
             args: [
                 '-spc', opt.spc,
@@ -18,13 +23,18 @@ module.exports = function (grunt) {
                 '-t', 'http://timestamp.verisign.com/scripts/timstamp.dll',
                 '-tr', 10,
                 opt.file
-            ],
-            opts: { stdio: 'inherit' }
+            ]
         }, (error, result, code) => {
             if (error || code) {
-                return grunt.log.warn(`signtool error ${code}: ${error}`);
+                spawned.kill();
+                return grunt.warn(`signtool error ${code}: ${error}`);
             }
             done();
         });
+        spawned.stdout.pipe(process.stdout);
+        spawned.stderr.pipe(process.stderr);
+        spawned.stdin.setEncoding('utf-8');
+        spawned.stdin.write(password);
+        spawned.stdin.write('\n');
     });
 };
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
index 15d8179c..5f248871 100644
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
@@ -3378,6 +3378,18 @@
       "from": "jsprim@>=1.2.2 <2.0.0",
       "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.3.0.tgz"
     },
+    "keytar": {
+      "version": "3.0.2",
+      "from": "keytar@latest",
+      "resolved": "https://registry.npmjs.org/keytar/-/keytar-3.0.2.tgz",
+      "dependencies": {
+        "nan": {
+          "version": "2.3.2",
+          "from": "nan@2.3.2",
+          "resolved": "https://registry.npmjs.org/nan/-/nan-2.3.2.tgz"
+        }
+      }
+    },
     "kind-of": {
       "version": "3.0.3",
       "from": "kind-of@>=3.0.2 <4.0.0",
diff --git a/package.json b/package.json
index 29991c0b..1f6ede2d 100644
--- a/package.json
+++ b/package.json
@@ -42,6 +42,7 @@
     "handlebars": "4.0.5",
     "handlebars-loader": "1.3.0",
     "html-minifier": "3.0.1",
+    "keytar": "3.0.2",
     "load-grunt-tasks": "3.5.0",
     "node-sass": "3.8.0",
     "raw-loader": "0.5.1",