diff --git a/.github/workflows/release-final.yaml b/.github/workflows/release-final.yaml
index c9e035e5ad..1e6b0bfb0e 100644
--- a/.github/workflows/release-final.yaml
+++ b/.github/workflows/release-final.yaml
@@ -45,6 +45,7 @@ jobs:
       PACKAGES_DIR: packages
       S3_BUCKET: download.draios.com
       RELEASE: ${{ github.event.release.name }}
+      KEY_ID: EC51E8C4
 
     # These permissions are needed to interact with GitHub's OIDC Token endpoint.
     permissions:
@@ -87,6 +88,11 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           aws-region: us-east-1
 
+      - name: Import private key
+        env:
+          PRIVATE_KEY: ${{ secrets.SYSDIG_REPO_SIGNING_KEY }}
+        run: printenv PRIVATE_KEY | gpg --import -
+
       - name: Release RPMs
         env:
           SCRIPTS_DIR: sysdig/scripts/release
diff --git a/scripts/release/release_rpm.sh b/scripts/release/release_rpm.sh
index 41110dc9f3..a7a3f21f9d 100755
--- a/scripts/release/release_rpm.sh
+++ b/scripts/release/release_rpm.sh
@@ -18,6 +18,9 @@ aws s3 sync s3://$S3_BUCKET/$REPOSITORY_NAME/rpm/$RPM_BASEARCH/ $REPOSITORY_DIR/
 cp $PACKAGES_DIR/*rpm $REPOSITORY_DIR/rpm/$RPM_BASEARCH
 createrepo $REPOSITORY_DIR/rpm/$RPM_BASEARCH
 
+# create repomd.xml.asc
+gpg --local-user $KEY_ID --batch --no-tty --yes --detach-sign --armor $REPOSITORY_DIR/rpm/$RPM_BASEARCH/repodata/repomd.xml
+
 cp $SCRIPTS_DIR/draios.repo $REPOSITORY_DIR/rpm
 sed -i s/_REPOSITORY_/$REPOSITORY_NAME/g $REPOSITORY_DIR/rpm/draios.repo