diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6e4cf14..f5f9bb2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -55,16 +55,28 @@ jobs:
       - uses: EmbarkStudios/cargo-deny-action@1e59595bed8fc55c969333d08d7817b36888f0c5 # v1.5.5
 
   clippy:
-    name: clippy
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v1.2.0
       - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
         with:
           toolchain: stable
-          components: rustfmt, clippy
+          components: clippy
       - run: cargo clippy -- -D warnings
 
+  rustfmt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v1.2.0
+      - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
+        with:
+          toolchain: nightly
+          components: rustfmt
+      - run: cargo fmt -- --check
+
   integration-macos-ssh:
     name: macos ssh
     runs-on: macos-latest
diff --git a/native-pkcs11-keychain/src/bin/signedtest.rs b/native-pkcs11-keychain/src/bin/signedtest.rs
index 75696db..d22e5d9 100644
--- a/native-pkcs11-keychain/src/bin/signedtest.rs
+++ b/native-pkcs11-keychain/src/bin/signedtest.rs
@@ -48,7 +48,7 @@ fn key_lifecycle() -> Result<(), native_pkcs11_keychain::Error> {
     let generated_key = apple_security_framework::key::SecKey::generate(args)?;
 
     if generated_key.external_representation().is_some() {
-        return Err("expected enclave key to not be exportable")?;
+        Err("expected enclave key to not be exportable")?;
     }
 
     let generated_pubkey = generated_key
@@ -65,7 +65,7 @@ fn key_lifecycle() -> Result<(), native_pkcs11_keychain::Error> {
         .load_refs(true)
         .search()?;
     if results.is_empty() {
-        return Err("expected to find key, but no keys found")?;
+        Err("expected to find key, but no keys found")?;
     }
 
     let found_key = match results.get(0).ok_or("no key found")? {
@@ -83,7 +83,7 @@ fn key_lifecycle() -> Result<(), native_pkcs11_keychain::Error> {
         .to_vec();
 
     if generated_pubkey != found_pubkey {
-        return Err("pubkeys not equal")?;
+        Err("pubkeys not equal")?;
     }
 
     let test_payload = &random_label();
@@ -100,7 +100,7 @@ fn key_lifecycle() -> Result<(), native_pkcs11_keychain::Error> {
             &signature,
         )?
     {
-        return Err("signature verification failed")?;
+        Err("signature verification failed")?;
     }
 
     let cert =
@@ -121,7 +121,7 @@ fn key_lifecycle() -> Result<(), native_pkcs11_keychain::Error> {
         }
     }
     if !found {
-        return Err("didn't find matching cert")?;
+        Err("didn't find matching cert")?;
     }
 
     cert.delete()?;