diff --git a/.ci/build.sh b/.ci/build.sh
index e415ff4..7e27d32 100755
--- a/.ci/build.sh
+++ b/.ci/build.sh
@@ -41,7 +41,7 @@ then
 
 echo 'going to try to build windows here...'
 
-apk add mingw-w64-gcc curl
+apk add mingw-w64-gcc curl wine
 
 STATIC_LIB_DIR="$(pwd)"
 LIBSODIUM_VERSION=1.0.18
@@ -72,9 +72,13 @@ mv pegh.exe pegh-i386-libsodium-openssl.exe
 
 fi
 
+export wine="wine"
+
 if [ "$ARCH" == "amd64" ]
 then
 
+export wine="wine64"
+
 make CC=x86_64-w64-mingw32-cc PEGH_LIBSODIUM_WIN="${STATIC_LIB_DIR}/libsodium-win64" clean all
 mv pegh.exe pegh-amd64-libsodium.exe
 
@@ -91,5 +95,23 @@ strip *.exe
 ls -lah *.exe
 file *.exe
 
-# todo: no testing these here for now...
+# now test windows binaries against the static ones with wine
+# no binfmt here where executing .exe *just works*, so do it hacky way :'(
+export TEST_BINS="./pegh.static.openssl ./pegh.static.libsodium-openssl ./pegh.static.libsodium"
+
+for exe in *.exe
+do
+script="$exe.sh"
+cat > "$script" <<EOF
+#!/bin/sh
+exec $wine "./$exe" "\$@"
+EOF
+chmod +x "$script"
+export TEST_BINS="./$script $TEST_BINS"
+done
+
+./test.sh
+
+echo "windows binaries pass tests through wine!"
+
 fi
diff --git a/test.sh b/test.sh
index 0f6fa11..5803174 100755
--- a/test.sh
+++ b/test.sh
@@ -1,19 +1,32 @@
 #!/bin/bash
 
-export dummy_file="$1"
+export tmp_folder="$1"
 shift
 export dummy_mb="$1"
 
-[ "$dummy_file" = "" ] && export dummy_file='/tmp/randombytes'
+[ "$tmp_folder" = "" ] && export tmp_folder='/tmp'
 [ "$dummy_mb" = "" ] && export dummy_mb='100'
 
 [ "$TEST_BINS" = "" ] && TEST_BINS="./pegh.openssl ./pegh.libsodium ./pegh.libsodium-openssl"
 
+dummy_file="${tmp_folder}/randombytes${dummy_mb}"
+leading_zero_key="${tmp_folder}/leading_zero_key"
+leading_zero_key_a="${tmp_folder}/leading_zero_key_a"
+leading_zero_key_b="${tmp_folder}/leading_zero_key_b"
+
 set -euxo pipefail
 
 # try different size files to encrypt/decrypt
 [ -e "$dummy_file" ] || dd if=/dev/urandom bs=1M "count=$dummy_mb" of="$dummy_file"
 
+export key="$(< /dev/urandom tr -dc 'a-z0-9' | head -c12)"
+
+echo "key: $key"
+
+[ -e "$leading_zero_key" ] || cat <(dd if=/dev/zero bs=1M count=1) <(echo "$key") > "$leading_zero_key"
+[ -e "$leading_zero_key_a" ] || cat "$leading_zero_key" <(echo -n a) > "$leading_zero_key_a"
+[ -e "$leading_zero_key_b" ] || cat "$leading_zero_key" <(echo -n b) > "$leading_zero_key_b"
+
 # try make if it's installed, otherwise fall back to cc
 rm -f pegh
 
@@ -29,10 +42,6 @@ mv pegh pegh.libsodium
 make PEGH_LIBSODIUM=1 PEGH_OPENSSL=1 || cc -O3 -DPEGH_LIBSODIUM -DPEGH_OPENSSL pegh.c -lsodium -lcrypto -o pegh
 mv pegh pegh.libsodium-openssl
 
-export key="$(< /dev/urandom tr -dc 'a-z0-9' | head -c12)"
-
-echo "key: $key"
-
 test () {
     bin="$1"
     shift
@@ -63,7 +72,7 @@ test () {
     "$bin" -e "$@" "$key" -s 32 < "$dummy_file" | "$bin_decrypt" -d "$key" -m 2048 | cmp - "$dummy_file"
 
     echo 'encrypting/decrypting with key in file should work, even when key has leading 0s and a trailing newline'
-    "$bin" -e "$@" -f <(cat <(dd if=/dev/zero bs=1M count=1) <(echo "$key")) < "$dummy_file" | "$bin_decrypt" -d -f <(cat <(dd if=/dev/zero bs=1M count=1) <(echo "$key")) | cmp - "$dummy_file"
+    "$bin" -e "$@" -f "$leading_zero_key" < "$dummy_file" | "$bin_decrypt" -d -f "$leading_zero_key" | cmp - "$dummy_file"
 
     set +e
     # these should fail
@@ -71,7 +80,7 @@ test () {
     "$bin" -e "$@" "$key" -i "$dummy_file" | "$bin_decrypt" -d "$key-wrongkey" | cmp - "$dummy_file" && echo "ERROR: appending -wrongkey to key somehow still worked" && exit 1
 
     echo 'encrypting/decrypting with key in file where last byte is different should fail'
-    "$bin" -e "$@" -f <(cat <(dd if=/dev/zero bs=1M count=1) <(echo "$key") <(echo -n a)) < "$dummy_file" | "$bin_decrypt" -d -f <(cat <(dd if=/dev/zero bs=1M count=1) <(echo "$key") <(echo -n b)) | cmp - "$dummy_file" && echo "ERROR: differing last byte in password file somehow still worked" && exit 1
+    "$bin" -e "$@" -f "$leading_zero_key_a" < "$dummy_file" | "$bin_decrypt" -d -f "$leading_zero_key_b" | cmp - "$dummy_file" && echo "ERROR: differing last byte in password file somehow still worked" && exit 1
 
     echo 'large values of N without enough memory should fail'
     "$bin" -e "$@" "$key" -N 2000000 -i "$dummy_file" >/dev/null && echo "ERROR: N of 2 million without extra memory worked" && exit 1