diff --git a/.github/workflows/full-build.yml b/.github/workflows/full-build.yml
index a0e1733c55..7ba3e31f97 100644
--- a/.github/workflows/full-build.yml
+++ b/.github/workflows/full-build.yml
@@ -1614,12 +1614,17 @@ jobs:
             Write-Host "Signing Final Installer"
             Write-Host "------------------------------------------------------------"
             
-            $installerZip = "installer_to_sign.zip"
-            $signedInstallerZip = "installer_to_sign.signed.zip"
+            $installerZip = "installer_to_sign_${{ github.sha }}.zip"
+            $signedInstallerZip = "installer_to_sign_${{ github.sha }}.signed.zip"
             
             $installers = Get-ChildItem -Filter "OpenStudio-*.exe"
             if ($installers.Count -gt 0) {
                Write-Host "Found installer(s): $($installers.Name)"
+               
+               # Calculate hash of original installer before compression
+               $originalHash = (Get-FileHash -Path $installers[0].FullName -Algorithm SHA256).Hash
+               Write-Host "Original installer hash (SHA256): $originalHash"
+               
                Compress-Archive -Path $installers.FullName -DestinationPath $installerZip -Force
                
                Write-Host "Sending installer for signing..."
@@ -1630,6 +1635,26 @@ jobs:
                   if (-not (Test-Path signed)) { New-Item -ItemType Directory -Path signed | Out-Null }
                   Expand-Archive -Path $signedInstallerZip -DestinationPath signed -Force
                   
+                  # Verify the extracted file exists and matches expected name
+                  $extractedFiles = Get-ChildItem -Path signed -Filter "*.exe"
+                  if ($extractedFiles.Count -eq 0) {
+                     Write-Host "::error::No EXE file found in signed archive!"
+                     exit 1
+                  }
+                  
+                  $extractedFile = $extractedFiles[0]
+                  $expectedName = $installers[0].Name
+                  if ($extractedFile.Name -ne $expectedName) {
+                     Write-Host "::warning::Signed file name mismatch!"
+                     Write-Host "  Expected: $expectedName"
+                     Write-Host "  Got: $($extractedFile.Name)"
+                     
+                     # Rename to match the original filename to prevent distributing misnamed file
+                     $newPath = Join-Path -Path signed -ChildPath $expectedName
+                     Rename-Item -Path $extractedFile.FullName -NewName $newPath -Force
+                     Write-Host "  Renamed to match original: $expectedName"
+                  }
+                  
                   # Cleanup
                   Remove-Item $installerZip -Force
                   Remove-Item $signedInstallerZip -Force