diff --git a/mswin32/Makefile b/mswin32/Makefile
index 068f13f6a..e4934d19a 100644
--- a/mswin32/Makefile
+++ b/mswin32/Makefile
@@ -1,4 +1,5 @@
 MAKENSIS="/cygdrive/c/Program Files/NSIS/makensis.exe"
+# VCExpress.exe is devenv.com with the commercial Visual Studio suite instead of VC++ Express
 VCEXPRESS := $(shell reg query "HKEY_CLASSES_ROOT\\Applications\\devenv.exe\\shell\\edit\\command" | egrep -i '[A-Z]:\\' | cut -d\" -f2 | sed 's%\\%/%g' | tr -d '\n')
 SIGNTOOL := $(shell reg query "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Microsoft SDKs\\Windows\\v8.1" /v "InstallationFolder" | egrep InstallationFolder | cut -d ' ' -f13- | sed 's%\\%/%g' | tr -d '\n' | sed 's%$$%bin/x86/signtool.exe%')
 export NMAP_VERSION := $(shell grep '^\#[ \t]*define[ \t]\+NMAP_VERSION' ../nmap.h | sed -e 's/.*"\(.*\)".*/\1/' -e 'q')
@@ -9,17 +10,20 @@ LOGLOC=c:nmapbuild.log
 NSE_FILES = scripts/script.db scripts/*.nse
 NMAP_MSWIN32_AUX = ../../nmap-mswin32-aux
 SIGNTOOL_ARGS = sign /a /n "Insecure.Com LLC" /tr http://timestamp.digicert.com /td sha256 /fd sha256
+# escape quotes for NSIS
+# escape for right side of sed regex replace
+SIGNTOOL_SUBST = $(shell echo '"$(SIGNTOOL)" $(SIGNTOOL_ARGS)' | sed -e 's/"/$$\\"/g' -e 's/[\/&]/\\&/g' )
 
-winbuild: nmap.rc nsis/Nmap.nsi LICENSE
-# VCExpress.exe is devenv.com with the commercial Visual Studio suite instead of VC++ Express
+bundle-nmap: bundle-zip bundle-nsis
 
+build-nmap: nmap.sln nmap.rc
 	"$(VCEXPRESS)" nmap.sln /build release /out $(LOGLOC)
 	"$(VCEXPRESS)" nmap.sln /build release /project nmap-update /out $(LOGLOC)
+
+stage-nmap: build-nmap LICENSE
 	rm -rf nmap-$(NMAP_VERSION)
-	rm -f nmap-$(NMAP_VERSION)-win32.zip
 	mkdir nmap-$(NMAP_VERSION)
 	cd Release && cp -r ../../CHANGELOG ../../COPYING nmap-mac-prefixes nmap-os-db nmap-payloads nmap-protocols nmap-rpc nmap-service-probes nmap-services nmap.exe nmap.xsl nse_main.lua ../nmap_performance.reg ../../README-WIN32 ../../docs/3rd-party-licenses.txt ../nmap-$(NMAP_VERSION)/
-	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) nmap-$(NMAP_VERSION)/nmap.exe
 # Use "cmd /c copy" rather than "cp" to preserve Windows ACLs. Using
 # "cp" means that the copied DLLs don't have the same ACL and cause an
 # error on startup: 0xc0000022.
@@ -38,30 +42,38 @@ winbuild: nmap.rc nsis/Nmap.nsi LICENSE
 	cp $(NMAP_MSWIN32_AUX)/vcredist_x86.exe nmap-$(NMAP_VERSION)
 	cp $(NMAP_MSWIN32_AUX)/vcredist2008_x86.exe nmap-$(NMAP_VERSION)
 	cp ../ncat/Release/ncat.exe nmap-$(NMAP_VERSION)
-	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) nmap-$(NMAP_VERSION)/ncat.exe
 	cp ../ncat/Release/ca-bundle.crt nmap-$(NMAP_VERSION)
 	cp ../nping/Release/nping.exe nmap-$(NMAP_VERSION)
-	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) nmap-$(NMAP_VERSION)/nping.exe
 	cp ../nmap-update/Release/nmap-update.exe nmap-$(NMAP_VERSION)
-	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) nmap-$(NMAP_VERSION)/nmap-update.exe
 # Install the ndiff batch file wrapper in the zip distribution.
 	cp ../ndiff/ndiff.py nmap-$(NMAP_VERSION)/ndiff.py
 	cp python-wrap.bat nmap-$(NMAP_VERSION)/ndiff.bat
-	zip -r nmap-$(NMAP_VERSION)-win32.zip nmap-$(NMAP_VERSION)
-# Remove ndiff.py and ndiff.bat for the installer because it has ndiff.exe.
-	rm -f nmap-$(NMAP_VERSION)/ndiff.py nmap-$(NMAP_VERSION)/ndiff.bat
 	cd ../zenmap && install_scripts/windows/copy_and_compile.bat
 	cp -R ../zenmap/dist/* nmap-$(NMAP_VERSION)/
-	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) nmap-$(NMAP_VERSION)/ndiff.exe
-	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) nmap-$(NMAP_VERSION)/zenmap.exe
 	cp ../zenmap/README nmap-$(NMAP_VERSION)/ZENMAP_README
 	cp ../zenmap/COPYING_HIGWIDGETS nmap-$(NMAP_VERSION)
 	cp ../ndiff/README nmap-$(NMAP_VERSION)/NDIFF_README
+
+sign-files: nmap-$(NMAP_VERSION)/nmap.exe nmap-$(NMAP_VERSION)/ncat.exe nmap-$(NMAP_VERSION)/nping.exe nmap-$(NMAP_VERSION)/nmap-update.exe nmap-$(NMAP_VERSION)/ndiff.exe nmap-$(NMAP_VERSION)/zenmap.exe
+	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) $^
+
+bundle-nsis: nsis/Nmap.nsi sign-files
 	cp nsis/AddToPath.nsh nsis/Nmap.nsi nsis/shortcuts.ini nsis/final.ini nmap-$(NMAP_VERSION)
 	$(MAKENSIS) nmap-$(NMAP_VERSION)/Nmap.nsi
 	mv nmap-$(NMAP_VERSION)/NmapInstaller.exe nmap-$(NMAP_VERSION)-setup.exe
 	"$(SIGNTOOL)" $(SIGNTOOL_ARGS) nmap-$(NMAP_VERSION)-setup.exe
 
+bundle-zip: sign-files
+	rm -f nmap-$(NMAP_VERSION)-win32.zip
+	zip -x nmap-$(NMAP_VERSION)/ZENMAP_README nmap-$(NMAP_VERSION)/zenmap/\* \
+	  nmap-$(NMAP_VERSION)/zenmap.exe nmap-$(NMAP_VERSION)/share/\* \
+	  nmap-$(NMAP_VERSION)/python27.dll nmap-$(NMAP_VERSION)/py2exe/\* \
+	  nmap-$(NMAP_VERSION)/COPYING_HIGWIDGETS nmap-$(NMAP_VERSION)/w9xpopen.exe \
+	  nmap-$(NMAP_VERSION)/ndiff.exe nmap-$(NMAP_VERSION)/\*.ini \
+	  nmap-$(NMAP_VERSION)/Uninstall.exe nmap-$(NMAP_VERSION)/\*.nsi \
+	  nmap-$(NMAP_VERSION)/\*.nsh \
+	  -r nmap-$(NMAP_VERSION)-win32.zip nmap-$(NMAP_VERSION)
+
 nmap.rc: nmap.rc.in ../nmap.h
 	sed -e '1i// Automatically generated from $<.' \
 	     -e 's/@@FILEVERSION@@/"$(NMAP_VERSION)\\0"/' \
@@ -74,6 +86,7 @@ nsis/Nmap.nsi: nsis/Nmap.nsi.in ../nmap.h
 	     -e 's/@@VIPRODUCTVERSION@@/"$(NMAP_NUM_VERSION)"/' \
 	     -e 's/@@VERSION@@/"$(NMAP_VERSION)"/' \
 	     -e 's/@@NPCAP_VERSION@@/$(NPCAP_VERSION)/' \
+	     -e 's/@@SIGNTOOL@@/$(SIGNTOOL_SUBST)/' \
 	     "$<" > "$@"
 
 LICENSE: ../COPYING
diff --git a/mswin32/nsis/Nmap.nsi.in b/mswin32/nsis/Nmap.nsi.in
index 3c1c40ebe..070d4a1da 100644
--- a/mswin32/nsis/Nmap.nsi.in
+++ b/mswin32/nsis/Nmap.nsi.in
@@ -21,10 +21,6 @@
 ;;  contain any quotes, even if the path contains spaces. Only absolute
 ;;  paths are supported.
 
-; The default compressor is zlib; lzma gives about 15% better compression.
-; http://nsis.sourceforge.net/Docs/Chapter4.html#4.8.2.4
-SetCompressor /SOLID /FINAL lzma
-
 ;--------------------------------
 ;Include Modern UI
 
@@ -38,7 +34,43 @@ SetCompressor /SOLID /FINAL lzma
 
   ;Name and file
   Name "Nmap"
+
+;--------------------------------
+; Sign the uninstaller
+; http://nsis.sourceforge.net/Signing_an_Uninstaller
+
+!ifdef INNER
+  !insertmacro MUI_UNPAGE_CONFIRM
+  !insertmacro MUI_UNPAGE_INSTFILES
+  !echo "Inner invocation"                  ; just to see what's going on
+  OutFile "$%TEMP%\tempinstaller.exe"       ; not really important where this is
+  SetCompress off                           ; for speed
+!else
+  !echo "Outer invocation"
+
+  ; Call makensis again, defining INNER.  This writes an installer for us which, when
+  ; it is invoked, will just write the uninstaller to some location, and then exit.
+  ; Be sure to substitute the name of this script here.
+
+  !system "$\"${NSISDIR}\makensis$\" /DINNER Nmap.nsi" = 0
+
+  ; So now run that installer we just created as %TEMP%\tempinstaller.exe.  Since it
+  ; calls quit the return value isn't zero.
+
+  !system "$\"$%TEMP%\tempinstaller.exe$\"" = 2
+
+  ; That will have written an uninstaller binary for us.  Now we sign it with your
+  ; favourite code signing tool.
+
+  ;!system "icacls.exe $\"$%TEMP%\Uninstall.exe$\" /grant $\"$%USER%$\":M"
+  !system "copy /b $\"$%TEMP%\Uninstall.exe$\" Uninstall.exe"
+  !system "$\"C:/Program Files (x86)/Windows Kits/8.1/bin/x86/signtool.exe$\" sign /a /n $\"Insecure.Com LLC$\" /tr http://timestamp.digicert.com /td sha256 /fd sha256 Uninstall.exe" = 0
+
+  ; Good.  Now we can carry on writing the real installer.
+
   OutFile "NmapInstaller.exe"
+  SetCompressor /SOLID /FINAL lzma
+!endif
 
   ;Required for removing shortcuts
   RequestExecutionLevel admin
@@ -381,7 +413,13 @@ Function create_uninstaller
   WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Nmap" "NoModify" 1
   WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Nmap" "NoRepair" 1
   ;Create uninstaller
-  WriteUninstaller "$INSTDIR\Uninstall.exe"
+!ifndef INNER
+  SetOutPath $INSTDIR
+
+  ; this packages the signed uninstaller
+
+  File "Uninstall.exe"
+!endif
   StrCpy $addremoveset "true"
   skipaddremove:
 FunctionEnd
@@ -400,6 +438,15 @@ OptionDisableSection_keep_${ID}:
 !macroend
 
 Function .onInit
+!ifdef INNER
+  ; If INNER is defined, then we aren't supposed to do anything except write out
+  ; the installer.  This is better than processing a command line option as it means
+  ; this entire code path is not present in the final (real) installer.
+
+  WriteUninstaller "$%TEMP%\Uninstall.exe"
+  Quit  ; just bail out quickly when running the "inner" installer
+!endif
+
   !insertmacro MUI_INSTALLOPTIONS_EXTRACT "shortcuts.ini"
   !insertmacro MUI_INSTALLOPTIONS_EXTRACT "final.ini"
 
@@ -446,6 +493,7 @@ FunctionEnd
 ;--------------------------------
 ;Uninstaller Section
 
+!ifdef INNER
 Section "Uninstall"
 
   StrCpy $R0 $INSTDIR "" -2
@@ -540,3 +588,4 @@ Section "Uninstall"
 
   SetDetailsPrint both
 SectionEnd
+!endif