diff --git a/tools/Makefile.am b/tools/Makefile.am
index 769a81a00..822c42a4f 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -1,224 +1,225 @@
 # Makefile.am - Tools directory
 #     	Copyright (C) 2003, 2007 Free Software Foundation, Inc.
 #
 # This file is part of GnuPG.
 #
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 #
 # GnuPG is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, see <https://www.gnu.org/licenses/>.
 
 EXTRA_DIST = \
 	Manifest watchgnupg.c no-libgcrypt.c \
 	addgnupghome applygnupgdefaults \
 	lspgpot mail-signed-keys convert-from-106 sockprox.c \
 	ccidmon.c ChangeLog-2011 \
 	gpg-connect-agent-w32info.rc gpg-connect-agent.w32-manifest.in \
 	gpgconf-w32info.rc           gpgconf.w32-manifest.in \
 	gpgtar-w32info.rc            gpgtar.w32-manifest.in \
 	gpg-check-pattern-w32info.rc gpg-check-pattern.w32-manifest.in \
 	gpg-wks-client-w32info.rc    gpg-wks-client.w32-manifest.in \
 	gpg-card-w32info.rc          gpg-card.w32-manifest.in
 
 AM_CPPFLAGS =
 include $(top_srcdir)/am/cmacros.am
 
 if HAVE_W32_SYSTEM
 gpg_connect_agent_rc_objs = gpg-connect-agent-w32info.o
 gpgconf_rc_objs           = gpgconf-w32info.o
 gpg_card_rc_objs          = gpg-card-w32info.o
 gpgtar_rc_objs            = gpgtar-w32info.o
 gpg_check_pattern_rc_objs = gpg-check-pattern-w32info.o
 gpg_wks_client_rc_objs    = gpg-wks-client-w32info.o
 
 gpg-connect-agent-w32info.o  : gpg-connect-agent.w32-manifest \
                                                      ../common/w32info-rc.h
 gpgconf-w32info.o            : gpgconf.w32-manifest  ../common/w32info-rc.h
 gpg-card-w32info.o           : gpg-card.w32-manifest ../common/w32info-rc.h
 gpgtar-w32info.o             : gpgtar.w32-manifest   ../common/w32info-rc.h
 gpg-check-pattern-w32info.o  : gpg-check-pattern.w32-manifest \
                                                      ../common/w32info-rc.h
 gpg-wks-client-w32info.o     : gpg-wks-client.w32-manifest \
                                                      ../common/w32info-rc.h
 
 endif
 
 AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
 
 sbin_SCRIPTS = addgnupghome applygnupgdefaults
+bin_SCRIPTS = gpg-authcode-sign.sh
 
 if BUILD_WKS_TOOLS
   gpg_wks_server = gpg-wks-server
 else
   gpg_wks_server =
 endif
 
 
 bin_PROGRAMS = gpgconf gpg-connect-agent gpg-card gpg-wks-client
 if !HAVE_W32_SYSTEM
 bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server} gpgsplit
 else
 bin_PROGRAMS += gpgconf-w32
 endif
 
 libexec_PROGRAMS = gpg-check-pattern gpg-pair-tool
 if !HAVE_W32_SYSTEM
 libexec_PROGRAMS += gpg-auth
 endif
 
 noinst_PROGRAMS = clean-sat make-dns-cert
 
 if BUILD_GPGTAR
   bin_PROGRAMS += gpgtar
 else
   noinst_PROGRAMS += gpgtar
 endif
 
 common_libs = $(libcommon)
 commonpth_libs = $(libcommonpth)
 
 pwquery_libs = ../common/libsimple-pwquery.a
 
 
 regexp_libs = ../regexp/libregexp.a
 
 
 gpgsplit_LDADD = $(common_libs) \
 	         $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
 		 $(ZLIBS) $(LIBINTL) $(NETLIBS) $(LIBICONV)
 
 gpgconf_SOURCES = gpgconf.c gpgconf.h gpgconf-comp.c
 
 # common sucks in gpg-error, will they, nil they (some compilers
 # do not eliminate the supposed-to-be-unused-inline-functions).
 gpgconf_LDADD = $(common_libs) \
                 $(LIBINTL) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
 	        $(LIBICONV) $(W32SOCKLIBS) \
 	        $(gpgconf_rc_objs)
 gpgconf_LDFLAGS =
 
 gpgconf_w32_SOURCES = $(gpgconf_SOURCES)
 gpgconf_w32_LDADD = $(gpgconf_LDADD)
 gpgconf_w32_LDFLAGS = $(gpgconf_LDFLAGS) -Wl,-subsystem,windows
 
 gpgparsemail_SOURCES = gpgparsemail.c rfc822parse.c rfc822parse.h
 gpgparsemail_LDADD =
 
 watchgnupg_SOURCES = watchgnupg.c
 watchgnupg_LDADD = $(NETLIBS)
 
 gpg_connect_agent_SOURCES = gpg-connect-agent.c
 gpg_connect_agent_LDADD = ../common/libgpgrl.a $(common_libs) \
 	                  $(LIBASSUAN_LIBS) $(LIBGCRYPT_LIBS) \
                           $(GPG_ERROR_LIBS) \
                           $(LIBREADLINE) $(LIBINTL) $(NETLIBS) $(LIBICONV) \
                           $(gpg_connect_agent_rc_objs)
 
 
 gpg_card_SOURCES   = \
 	gpg-card.c \
 	gpg-card.h     \
 	card-call-scd.c \
 	card-keys.c \
 	card-yubikey.c \
 	card-misc.c
 
 gpg_card_LDADD = \
 	../common/libgpgrl.a $(common_libs) \
 	$(LIBASSUAN_LIBS) $(LIBGCRYPT_LIBS) \
 	$(GPG_ERROR_LIBS) \
         $(LIBREADLINE) $(LIBINTL) $(NETLIBS) $(LIBICONV) \
         $(gpg_card_rc_objs)
 
 
 gpg_check_pattern_SOURCES = gpg-check-pattern.c
 gpg_check_pattern_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(INCICONV)
 gpg_check_pattern_LDADD = $(common_libs) $(regexp_libs) $(LIBGCRYPT_LIBS) \
 			  $(GPG_ERROR_LIBS) \
 			  $(LIBINTL) $(NETLIBS) $(LIBICONV) $(W32SOCKLIBS) \
 			  $(LIBICONV) \
 		          $(gpg_check_pattern_rc_objs)
 
 gpgtar_SOURCES = \
 	gpgtar.c gpgtar.h \
 	gpgtar-create.c \
 	gpgtar-extract.c \
 	gpgtar-list.c
 gpgtar_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS)
 gpgtar_LDADD = $(libcommon) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
                $(LIBINTL) $(NETLIBS) $(LIBICONV) $(W32SOCKLIBS) \
 	       $(gpgtar_rc_objs)
 
 gpg_wks_server_SOURCES = \
 	gpg-wks-server.c \
 	gpg-wks.h \
 	wks-util.c \
 	wks-receive.c \
 	rfc822parse.c rfc822parse.h \
 	mime-parser.c mime-parser.h \
 	mime-maker.c  mime-maker.h  \
 	send-mail.c   send-mail.h
 
 gpg_wks_server_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(INCICONV)
 gpg_wks_server_LDADD = $(libcommon) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
 		       $(LIBINTL) $(LIBICONV)
 
 gpg_wks_client_SOURCES = \
 	gpg-wks-client.c \
 	gpg-wks.h  \
 	wks-util.c \
 	wks-receive.c \
 	rfc822parse.c rfc822parse.h \
 	mime-parser.c mime-parser.h \
 	mime-maker.h  mime-maker.c  \
 	send-mail.c   send-mail.h   \
 	call-dirmngr.c call-dirmngr.h
 
 gpg_wks_client_CFLAGS = $(LIBASSUAN_CFLAGS) $(LIBGCRYPT_CFLAGS) \
 			$(GPG_ERROR_CFLAGS) $(INCICONV)
 gpg_wks_client_LDADD = $(libcommon) \
 		       $(LIBASSUAN_LIBS) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
 		       $(LIBINTL) $(LIBICONV) $(NETLIBS) \
 	               $(gpg_wks_client_rc_objs)
 
 gpg_pair_tool_SOURCES = \
 	gpg-pair-tool.c
 
 gpg_pair_tool_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(INCICONV)
 gpg_pair_tool_LDADD =  $(libcommon) \
 		       $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
 		       $(LIBINTL) $(LIBICONV) $(W32SOCKLIBS)
 
 gpg_auth_SOURCES = gpg-auth.c
 gpg_auth_LDADD = $(common_libs) \
 	         $(LIBASSUAN_LIBS) $(LIBGCRYPT_LIBS) \
                  $(GPG_ERROR_LIBS) \
                  $(LIBINTL) $(NETLIBS) $(LIBICONV)
 
 # Instead of a symlink we install a simple wrapper script for the new
 # gpg-wks-client location.  We assume bin is a sibling of libexec.
 install-exec-local:
 	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
 	(set -e ;\
 	 if [ "$(libexecdir)" != "$(bindir)" ]; then \
 	   printf '#!/bin/sh\nexec "$(bindir)/gpg-wks-client" "$$@"\n' \
 	          > $(DESTDIR)$(libexecdir)/gpg-wks-client ;\
 	   chmod +x $(DESTDIR)$(libexecdir)/gpg-wks-client ;\
 	 fi )
 
 uninstall-local:
 	(if [ "$(libexecdir)" != "$(bindir)" ]; then \
 	   rm $(DESTDIR)$(libexecdir)/gpg-wks-client || true ;\
          fi )
 
 # Make sure that all libs are build before we use them.  This is
 # important for things like make -j2.
 $(PROGRAMS): $(common_libs) $(pwquery_libs) ../common/libgpgrl.a
diff --git a/tools/gpg-authcode-sign.sh b/tools/gpg-authcode-sign.sh
new file mode 100644
index 000000000..0f6a34824
--- /dev/null
+++ b/tools/gpg-authcode-sign.sh
@@ -0,0 +1,257 @@
+#!/bin/sh
+# gpg-authcode-sign.sh - Wrapper for osslsigncode
+# Copyright (C) 2024 g10 Code GmbH
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+VERSION=2024-03-25
+PGM=gpg-authcode-sign.sh
+
+set -e
+
+usage()
+{
+    cat <<EOF
+Usage: $PGM [OPTIONS]  FILE_TO_SIGN  SIGNED_FILE
+Options:
+        [--desc=STRING]   Include STRING as description (default=$url)
+        [--url=STRING]    Include STRING as URL (default=$desc)
+        [--stamp]         Use a stamp file to avoid double signing
+        [--dry-run]       Do not actually run osslsigncode
+        [--template]      Print a template for ~/.gnupg-autogenrc
+        [--version]       Print version and exit
+EOF
+    exit $1
+}
+
+
+# The information required to sign the tarballs and binaries
+# are expected in the developer specific file ~/.gnupg-autogen.rc".
+# Here is an example:
+print_autogenrc_template()
+{
+cat <<EOF
+# Location of the released tarball archives.  Note that this is an
+# internal archive and before uploading this to the public server,
+# manual tests should be run and the git release tagged and pushed.
+# This is greped by the Makefile.
+RELEASE_ARCHIVE=foo@somehost:tarball-archive
+
+# The key used to sign the GnuPG sources.
+# This is greped by the Makefile.
+RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
+
+# The key used to sign the VERSION files of some MSI installers.
+VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208
+
+# For signing Windows binaries we need to employ a Windows machine.
+# We connect to this machine via ssh and take the connection
+# parameters via .ssh/config. For example a VM could be specified
+# like this:
+#
+#   Host authenticode-signhost
+#        HostName localhost
+#        Port 27042
+#        User gpgsign
+#
+# Depending on the used token it might be necessary to allow single
+# signon and unlock the token before running the make.  The following
+# variable references this entry.  This is greped by the Makefile.
+# To enable this use authenticode-signhost as value.
+AUTHENTICODE_SIGNHOST=
+
+# The name of the signtool as used on Windows.
+# This is greped by the Makefile.
+AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
+
+# The URL for the timestamping service
+AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced
+
+# To use osslsigncode the follwing entries are required and
+# an empty string must be given for AUTHENTICODE_SIGNHOST.
+# They are greped by the Makefile.  For example:
+#AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12
+#AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem
+
+# If a smartcard is used for the Authenticode signature these
+# entries are required instead (remove comment).
+#AUTHENTICODE_KEY=card
+AUTHENTICODE_CERTS=/home/foo/.gnupg/my_authenticode_cert.pem
+OSSLSIGNCODE=/usr/bin/osslsigncode
+OSSLPKCS11ENGINE=/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
+SCUTEMODULE=/usr/local/lib/scute.so
+
+# Signing can also be disabled:
+AUTHENTICODE_KEY=none
+
+#
+EOF
+}
+
+
+autogenrc="$HOME/.gnupg-autogen.rc"
+dryrun=
+stamp=
+buildtype=
+# Set defaults  accrding to our build system.
+if [ -n "$abs_top_srcdir" -a -f "$abs_top_srcdir/packages/BUILDTYPE" ]; then
+    buildtype=$(cat "$abs_top_srcdir/packages/BUILDTYPE")
+elif [ -f "../packages/BUILDTYPE" ]; then
+    buildtype=$(cat "../packages/BUILDTYPE")
+elif [ -f "packages/BUILDTYPE" ]; then
+    buildtype=$(cat "packages/BUILDTYPE")
+fi
+case "$buildtype" in
+    vsd)
+      desc="GnuPG VS-Desktop"
+      url="https://gnupg.com"
+      ;;
+    gpd)
+      desc="GnuPG Desktop"
+      url="https://gnupg.com"
+      ;;
+    default|gpg4win)
+      desc="Gpg4win"
+      url="https://gpg4win.org"
+      ;;
+    *)
+      desc="GnuPG"
+      url="https://gnupg.org"
+      ;;
+esac
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+	--*=*)
+	    optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'`
+	    ;;
+	*)
+	    optarg=""
+	    ;;
+    esac
+
+    case $1 in
+	--desc=*)
+	    desc="$optarg"
+	    ;;
+	--url=*)
+	    url="$optarg"
+	    ;;
+	--dry-run|-n)
+	    dryrun=yes
+	    ;;
+	--stamp)
+	    stamp=yes
+	    ;;
+	--help|-h)
+	    usage 0
+	    ;;
+        --version)
+            echo $VERSION
+            exit 0
+            ;;
+        --template)
+            print_autogenrc_template
+            exit 0
+            ;;
+	--*)
+	    usage 1 1>&2
+	    ;;
+	*)
+	    break
+	    ;;
+    esac
+    shift
+done
+
+if [ $# -ne 2 ]; then
+    usage 1 1>&2
+fi
+inname="$1"
+outname="$2"
+shift
+
+if [ ! -f $autogenrc ]; then
+    echo >&2 "$PGM: error: '$autogenrc' missing"
+    echo >&2 "$PGM: hint: use option --template"
+    exit 1
+fi
+
+
+for v in AUTHENTICODE_SIGNHOST AUTHENTICODE_TOOL AUTHENTICODE_TSURL \
+         AUTHENTICODE_KEY AUTHENTICODE_CERTS VERSION_SIGNKEY \
+         OSSLSIGNCODE OSSLPKCS11ENGINE SCUTEMODULE ; do
+    eval $v=$(grep '^[[:blank:]]*'$v'[[:blank:]]*=' "$autogenrc"|cut -d= -f2\
+                  |sed -e 's,\\,\\\\,g'| sed -e 's,^",'\', -e 's,"$,'\',)
+done
+
+
+if [ "$stamp" = yes ]; then
+    if [ "$outname.asig-done" -nt "$outname" ]; then
+        echo >&2 "$PGM: file is '$outname' is already signed"
+        exit 0
+    fi
+fi
+
+if [ -n "$dryrun" ]; then
+
+    echo >&2 "$PGM: would sign: '$inname' to '$outname'"
+
+elif [ -n "$AUTHENTICODE_SIGNHOST" ]; then
+
+    echo >&2 "$PGM: Signing via host $AUTHENTICODE_SIGNHOST"
+
+    scp "$inname" "$AUTHENTICODE_SIGNHOST:a.exe"
+    # Invoke command on Windows via ssh
+    ssh "$AUTHENTICODE_SIGNHOST" \""$AUTHENTICODE_TOOL"\" sign \
+        /v /sm \
+        /a /n '"g10 Code GmbH"' \
+        /tr \""$AUTHENTICODE_TSURL"\" /td sha256 \
+        /d \""$desc"\" \
+        /fd sha256 /du https://gnupg.com a.exe
+     scp "$AUTHENTICODE_SIGNHOST:a.exe" "$outname"
+
+elif [ "$AUTHENTICODE_KEY" = card ]; then
+
+    echo >&2 "$PGM: Signing using a card: '$inname'"
+
+    "$OSSLSIGNCODE" sign \
+       -pkcs11engine "$OSSLPKCS11ENGINE" \
+       -pkcs11module "$SCUTEMODULE" \
+       -certs "$AUTHENTICODE_CERTS" \
+       -h sha256 -n "$desc" -i "$url" \
+       -ts "$AUTHENTICODE_TSURL" \
+       -in "$inname" -out "$outname.tmp"
+    cp "$outname.tmp" "$outname"
+    rm "$outname.tmp"
+
+elif [ "$AUTHENTICODE_KEY" = none ]; then
+
+    echo >&2 "$PGM: Signing disabled; would sign: '$inname'"
+    [ "$inname" != "$outname" ] && cp "$inname" "$outname"
+
+else
+
+    echo >&2 "$PGM: Signing using key $AUTHENTICODE_KEY"
+    osslsigncode sign -certs "$AUTHENTICODE_CERTS" \
+       -pkcs12 "$AUTHENTICODE_KEY" -askpass \
+       -ts "$AUTHENTICODE_TSURL" \
+       -h sha256 -n "$desc" -i "$url" \
+       -in "$inname" -out "$outname.tmp"
+       cp "$outname.tmp" "$outname"
+       rm "$outname.tmp"
+
+fi
+
+if [ -z "$dryrun" ]; then
+  [ "$stamp" = yes ] && touch "$outname.asig-done"
+  echo >&2 "$PGM: signed file is '$outname'"
+fi
+
+# eof