diff --git a/scripts/sign.sh b/scripts/sign.sh
new file mode 100755
index 0000000..30b1d74
--- /dev/null
+++ b/scripts/sign.sh
@@ -0,0 +1,12 @@
+#! /usr/bin/env nix-shell
+#! nix-shell --pure ../shell.nix -i bash
+
+set -euxo pipefail
+
+SOURCE="${BASH_SOURCE[0]}"
+while [ -h "$SOURCE" ] ; do SOURCE="$(readlink "$SOURCE")"; done
+cd -P "$( dirname "$SOURCE" )/../pkg"
+
+gpg -u FFCBD29F3AFED453AE4B9E321D40FBA29EB39616 --armor  --export --export-options export-minimal > public.key
+find . -name '*.zip' -exec gpg --armor --detach-sign {} \;
+find . -name '*.zip' -exec rekor-cli upload --artifact {} --signature {}.asc --public-key public.key \;
diff --git a/shell.nix b/shell.nix
index 6c76d4c..e4b915e 100644
--- a/shell.nix
+++ b/shell.nix
@@ -11,5 +11,7 @@ pkgs.mkShell {
     pkgs.gitMinimal
     pkgs.zip
     pkgs.go_1_17
+    pkgs.gnupg
+    pkgs.rekor-cli
   ];
 }