diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3d3bca3cdd..caec1c4e51 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,6 +16,16 @@ on:
       - '.github/workflows/localisation.yml'
       - '.gitignore'
       - '.vscode/**'
+  workflow_dispatch:
+    inputs:
+      sign:
+        description: Sign binaries
+        type: choice
+        options:
+          - test-signing
+          - release-signing
+        default: test-signing
+
 defaults:
   run:
     shell: bash
@@ -34,6 +44,11 @@ jobs:
   build_variables:
     name: Get version info
     runs-on: ubuntu-latest
+    # We want to sign tagged releases with release certificates, but it is only allowed to be ran manually.
+    # Disable automatic runs for tags and force release signing for tags.
+    if: |
+      (startsWith(github.ref, 'refs/tags/v') && github.event_name == 'workflow_dispatch' && github.event.inputs.sign == 'release-signing') ||
+      (!startsWith(github.ref, 'refs/tags/v') && github.event.inputs.sign != 'release-signing')
     outputs:
       name: ${{ steps.artifact-name.outputs.name }}
       describe: ${{ steps.ghd.outputs.describe }}
@@ -42,6 +57,7 @@ jobs:
       tag: ${{ steps.ghd.outputs.tag }}
       push: ${{ steps.setenv.outputs.push }}
       sign: ${{ steps.sign.outputs.sign }}
+      certificate: ${{ steps.sign.outputs.certificate }}
     steps:
       # We need to fetch entire repo to get the tags and correctly run `describe`
       - name: Check out code
@@ -80,7 +96,16 @@ jobs:
         id: sign
         run: |
           echo "sign=${{ env.SIGNPATH_API_TOKEN != '' && (needs.build_variables.outputs.push || startsWith(github.ref, 'refs/tags/v')) }}"
+          # if using workflow_dispatch, use the provided certificate
+          if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
+            certificate=${{ github.event.inputs.sign }}
+          else
+            # Default to test-signing
+            certificate=test-signing
+          fi
+          echo "certificate=$certificate"
           echo "sign=${{ env.SIGNPATH_API_TOKEN != '' && (needs.build_variables.outputs.push || startsWith(github.ref, 'refs/tags/v')) }}" >> $GITHUB_OUTPUT
+          echo "certificate=$certificate" >> $GITHUB_OUTPUT
   lint-commit:
     name: Lint Commit Message
     if: github.event_name == 'pull_request'
@@ -186,7 +211,7 @@ jobs:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: 645b821f-6283-45e1-8198-264997072801
           project-slug: OpenRCT2
-          signing-policy-slug: 'test-signing'
+          signing-policy-slug: ${{ needs.build_variables.outputs.certificate }}
           artifact-configuration-slug: 'binaries'
           github-artifact-id: ${{ steps.upload-windows-binaries-unsigned.outputs.artifact-id }}
           wait-for-completion: true
@@ -234,7 +259,7 @@ jobs:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: 645b821f-6283-45e1-8198-264997072801
           project-slug: OpenRCT2
-          signing-policy-slug: 'test-signing'
+          signing-policy-slug: ${{ needs.build_variables.outputs.certificate }}
           artifact-configuration-slug: 'installer'
           github-artifact-id: ${{ steps.upload-windows-installer-unsigned.outputs.artifact-id }}
           wait-for-completion: true