diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b53af55ed3..8d88e4222b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -98,10 +98,13 @@ jobs:
           echo "::add-mask::$accessToken"
           echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV
 
+      # AzureSignTool is installed from nuget.org (https://www.nuget.org/packages/AzureSignTool/7.0.1)
+      # Security: On Windows, NuGet verifies repository signatures by default. The package is
+      # version-pinned and pulled over HTTPS from nuget.org's CDN. Source: https://github.com/vcsjones/AzureSignTool
       - name: Install AzureSignTool
         shell: pwsh
         run: |
-          dotnet tool install --global AzureSignTool
+          dotnet tool install --global AzureSignTool --version 7.0.1
 
       - name: Run GoReleaser for Windows
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0