diff --git a/.github/workflows/actions/sign-files/action.yml b/.github/workflows/actions/sign-files/action.yml
index 6e17ac66ce..21a418362a 100644
--- a/.github/workflows/actions/sign-files/action.yml
+++ b/.github/workflows/actions/sign-files/action.yml
@@ -44,9 +44,43 @@ runs:
       run: |
         Write-Output "::group::Install smctl if needed"
         if (!(Get-Command smctl -ErrorAction SilentlyContinue)) {
-          curl -o smtools-windows-x64.msi "https://rstudio-buildtools.s3.amazonaws.com/posit-dev/smtools-windows-x64.msi"
-          msiexec /i smtools-windows-x64.msi /quiet /qn /log smtools-windows-x64.log
-          "C:/Program Files/DigiCert/DigiCert One Signing Manager Tools" | Out-File -FilePath $env:GITHUB_PATH -Append
+          # Download with retry (transient S3 failures cause silent install failures)
+          $maxRetries = 3
+          $downloaded = $false
+          for ($i = 1; $i -le $maxRetries; $i++) {
+            Write-Output "Downloading smtools MSI (attempt $i/$maxRetries)..."
+            curl -o smtools-windows-x64.msi "https://rstudio-buildtools.s3.amazonaws.com/posit-dev/smtools-windows-x64.msi"
+            if ($LASTEXITCODE -ne 0) {
+              Write-Output "::warning::curl failed with exit code $LASTEXITCODE"
+              continue
+            }
+            $fileSize = (Get-Item smtools-windows-x64.msi).Length
+            if ($fileSize -lt 1MB) {
+              Write-Output "::warning::Downloaded file is only $fileSize bytes, expected ~90MB"
+              continue
+            }
+            $downloaded = $true
+            Write-Output "Download successful ($fileSize bytes)"
+            break
+          }
+          if (-not $downloaded) {
+            Write-Output "::error title=Download Error::Failed to download smtools MSI after $maxRetries attempts"
+            exit 1
+          }
+          # Install synchronously (msiexec can return before install completes without -Wait)
+          $process = Start-Process msiexec -ArgumentList '/i', 'smtools-windows-x64.msi', '/quiet', '/qn', '/log', 'smtools-windows-x64.log' -Wait -PassThru
+          if ($process.ExitCode -ne 0) {
+            Write-Output "::error title=Install Error::msiexec failed with exit code $($process.ExitCode)"
+            Get-Content smtools-windows-x64.log -Tail 50
+            exit 1
+          }
+          # Verify smctl is actually on disk before declaring success
+          $smctlPath = "C:/Program Files/DigiCert/DigiCert One Signing Manager Tools"
+          if (!(Test-Path "$smctlPath/smctl.exe")) {
+            Write-Output "::error title=Install Error::smctl.exe not found at $smctlPath after install"
+            exit 1
+          }
+          $smctlPath | Out-File -FilePath $env:GITHUB_PATH -Append
           Write-Output "SMCTL installed and added on PATH"
         } else {
           Write-Output "SMCTL already installed and on PATH"