diff --git a/Makefile b/Makefile
index 3bb721fc..6501e375 100644
--- a/Makefile
+++ b/Makefile
@@ -23,6 +23,7 @@ VERBOSE.MACRO = $${VERBOSE:-0}
 CHANNEL = development
 CLIENT_DIR = client
 COMMIT = $$( git rev-parse --short HEAD )
+DEPLOY_SCRIPT_PATH = not/a/real/path
 DIST_DIR = dist
 GOAMD64 = v1
 GOPROXY = https://proxy.golang.org|direct
@@ -37,6 +38,7 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\
 	--ignore-optional --ignore-platform --ignore-scripts
 RACE = 0
 SIGN = 1
+SIGNER_API_KEY = not-a-real-key
 VERSION = v0.0.0
 YARN = yarn
 
@@ -60,6 +62,7 @@ BUILD_RELEASE_DEPS_1 = go-deps
 ENV = env\
 	CHANNEL='$(CHANNEL)'\
 	COMMIT='$(COMMIT)'\
+	DEPLOY_SCRIPT_PATH='$(DEPLOY_SCRIPT_PATH)' \
 	DIST_DIR='$(DIST_DIR)'\
 	GO="$(GO.MACRO)"\
 	GOAMD64='$(GOAMD64)'\
@@ -72,6 +75,7 @@ ENV = env\
 	PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
 	RACE='$(RACE)'\
 	SIGN='$(SIGN)'\
+	SIGNER_API_KEY='$(SIGNER_API_KEY)' \
 	NEXTAPI='$(NEXTAPI)'\
 	VERBOSE="$(VERBOSE.MACRO)"\
 	VERSION="$(VERSION)"\
diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml
index d6432c27..5ace2365 100644
--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -91,6 +91,11 @@
     'tasks':
       - 'checkout':
             'force-clean-build': true
+      - 'checkout':
+            'repository': 'bamboo-deploy-publisher'
+            # The paths are always relative to the working directory.
+            'path': 'bamboo-deploy-publisher'
+            'force-clean-build': true
       - 'script':
             'interpreter': 'SHELL'
             'scripts':
@@ -99,6 +104,9 @@
 
                 set -e -f -u -x
 
+                # Explicitly checkout the revision that we need.
+                git checkout "${bamboo.repository.revision.number}"
+
                 # Run the build with the specified channel.
                 echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
                         | awk '{ gsub(/\\n/, "\n"); print; }'\
@@ -107,6 +115,8 @@
                 make\
                         CHANNEL=${bamboo.channel}\
                         GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\
+                        DEPLOY_SCRIPT_PATH="./bamboo-deploy-publisher/deploy.sh"\
+                        SIGNER_API_KEY="${bamboo.adguardHomeWinSignerSecretApiKey}"\
                         FRONTEND_PREBUILT=1\
                         PARALLELISM=1\
                         VERBOSE=2\
diff --git a/bamboo-specs/test.yaml b/bamboo-specs/test.yaml
index 26e0c5d3..29a8bae5 100644
--- a/bamboo-specs/test.yaml
+++ b/bamboo-specs/test.yaml
@@ -143,12 +143,6 @@
     'other':
          'clean-working-dir': true
     'tasks':
-      # TODO(e.burkov):  Remove after test.
-      - 'checkout':
-            'repository': 'bamboo-deploy-publisher'
-            # The paths are always relative to the working directory.
-            'path': 'bamboo-deploy-publisher'
-            'force-clean-build': true
       - 'checkout':
             'force-clean-build': true
       - 'script':
diff --git a/scripts/make/build-release.sh b/scripts/make/build-release.sh
index 3bc8caf5..581081d5 100644
--- a/scripts/make/build-release.sh
+++ b/scripts/make/build-release.sh
@@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ]
 then
 	gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}"
 	gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}"
+	signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}"
+	deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}"
 else
 	gpg_key_passphrase=''
 	gpg_key=''
+	signer_api_key=''
+	deploy_script_path=''
 fi
-readonly gpg_key_passphrase gpg_key
+readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path
 
 # The default distribution files directory is dist.
 dist="${DIST_DIR:-dist}"
@@ -149,6 +153,50 @@ windows  amd64     -   -
 windows  arm64     -   -"
 readonly platforms
 
+# Function sign signs the specified build as intended by the target operating
+# system.
+sign() {
+	# Only sign if needed.
+	if [ "$sign" -ne '1' ]
+	then
+		return
+	fi
+
+	# Get the arguments.  Here and below, use the "sign_" prefix for all
+	# variables local to function sign.
+	sign_os="$1"
+	sign_bin_path="$2"
+
+	if [ "$sign_os" != 'windows' ]
+	then
+		gpg\
+			--default-key "$gpg_key"\
+			--detach-sig\
+			--passphrase "$gpg_key_passphrase"\
+			--pinentry-mode loopback\
+			-q\
+			"$sign_bin_path"\
+			;
+
+		return
+	# TODO(e.burkov):  Enable for all releases.
+	elif [ "$channel" != 'beta' ]
+	then
+		return
+	fi
+
+	signed_bin_path="${sign_bin_path}.signed"
+
+	env\
+		INPUT_FILE="$sign_bin_path"\
+		OUTPUT_FILE="$signed_bin_path"\
+		SIGNER_API_KEY="$signer_api_key"\
+		"$deploy_script_path" sign-executable\
+		;
+
+	mv "$signed_bin_path" "$sign_bin_path"
+}
+
 # Function build builds the release for one platform.  It builds a binary and an
 # archive.
 build() {
@@ -189,17 +237,7 @@ build() {
 
 	log "$build_output"
 
-	if [ "$sign" -eq '1' ]
-	then
-		gpg\
-			--default-key "$gpg_key"\
-			--detach-sig\
-			--passphrase "$gpg_key_passphrase"\
-			--pinentry-mode loopback\
-			-q\
-			"$build_output"\
-			;
-	fi
+	sign "$os" "$build_output"
 
 	# Prepare the build directory for archiving.
 	cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"