diff --git a/.gitignore b/.gitignore
index 0aa94e2..0d439fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 ctx/
+secrets/
 repo/
 *.key
 *.pub
diff --git a/binhost.sh b/binhost.sh
index cea714d..1183e3e 100755
--- a/binhost.sh
+++ b/binhost.sh
@@ -10,6 +10,7 @@ IMAGE="docker.io/gentoo/stage3:amd64-desktop-openrc"
 CONTAINER_NAME="gentoo_builder"
 PROFILE="default/linux/amd64/23.0/desktop"
 LOG_FILE="/var/log/gentoo_build.log" # inside container
+HOST_KEY_PATH="$(pwd)/secrets/signing.key"
 
 if [[ ! -d "$REPO/.git" ]]; then
     git clone "$REPO_URL" "$REPO"
@@ -66,12 +67,16 @@ init_container() {
         -v portage_db:/var/db/repos/gentoo \
         -v distfiles:/var/cache/distfiles \
         -v binpkgs:/var/cache/binpkgs \
+        -v "$HOST_KEY_PATH":/tmp/signing.key:ro \
         --tmpfs /var/tmp/portage:rw,size=48G,mode=1777 \
         "$IMAGE" \
         bin/bash -c "sleep infinity"
 
     echo "Running setup..."
     podman exec "$CONTAINER_NAME" bash -c "
+        mkdir -p /root/.gnupg
+        chmod 700 /root/.gnupg
+        gpg --batch --import /tmp/signing.key
         emerge-webrsync -q
         emerge -1vn --usepkg --buildpkg dev-vcs/git app-eselect/eselect-repository
         eselect profile set '$PROFILE'
diff --git a/binhost/make.conf b/binhost/make.conf
index 1fc1e5a..60369f9 100644
--- a/binhost/make.conf
+++ b/binhost/make.conf
@@ -23,7 +23,11 @@ VIDEO_CARDS="intel nouveau"
 
 # "buildpkg" = generate binary packages upon install
 # "binpkg-multi-instance" = keep only latest version, but support slotting
-FEATURES="${FEATURES} -getbinpkg buildpkg binpkg-multi-instance -ipc-sandbox -network-sandbox -pid-sandbox"
+FEATURES="${FEATURES} -getbinpkg buildpkg binpkg-multi-instance -ipc-sandbox -network-sandbox -pid-sandbox binpkg-signing"
 ACCEPT_LICENSE="*"
 
 BINPKG_FORMAT="gpkg"
+
+# gpg
+BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg"
+BINPKG_GPG_SIGNING_KEY="0x2D74807D22E7B8551ADAABD44DD2AD0F96276ABF"
diff --git a/public_key.asc b/public_key.asc
new file mode 100644
index 0000000..b9d0708
--- /dev/null
+++ b/public_key.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGk1iMwBEADDCZJNpmr/BEmWX9XqOWcIFrmlHw3396LHFrGD7TLQOygbe5t5
+dsgpvz/NNhmKe1HdDUi5vYUQhfcFD2DJI08L5oCZJ4BncuAXZeQ7tNJZvdR5mQ0n
+als8nbYp7aX4Q/bKEQvO+HP8NimIi+//MGwjGap2aHmpZMFRW1PrYATpcNkK6wzL
+moNeA3/qa86kzP4ODiBwti1XAT3u1Zo6sEQACpz6x3O4KTiekObbfXtmlhjL7OUP
+QKeZFWkvkHZNtHSvkUxHNA2taNeuQJXu/XA2D/6Bq3y1OYn7RjaHzKkrysqk3wfD
+hqfhEcJKxk+6VHFyyl/ET2pj5EEnHVSR9dTkJIgb/0KJjGAoP+jLF3US7WYSfvKu
+GCLhrSu3zRaGZ50deoDsZYEuCyNPdNS+5pnbgNZFuVnqUzr3GsV2c/lZUA22YYWz
+Iyif0MIaU0Z6VhS4Vsw7O0/45VqSdU5P+ifghzvtTvB9GUzV2TSZ08Xc5E7WHEAG
+jPM4R9ZtaScRHSNvfTr0Tk/T8kRzlU9XhjytBGkHuNke61VQiRaiwR4wmTGRtbYo
+LM66wJmDOmqier3HwzeuJOx2Uxh0HObqczlZh26QzQdWVBf9FjMNXpFRGj8ACQI+
+kcjmR7wQoLW4MER3ucNo7vCVFj6BM54zSYqTd7p6WJCavV6b3kRnAb+OdwARAQAB
+tCRHZW50b28gQnVpbGRlciA8Z2VudG9vLXBpbGxAYXlhdS5tZT6JAk8EEwEKADkW
+IQQtdIB9Iue4VRraq9RN0q0PlidqvwUCaTWIzAMbLwQFCwkIBwIGFQoJCAsCBBYC
+AwECHgECF4AACgkQTdKtD5Ynar9v2g/9G/42kp3K9qjq0zG2xrtuESkil5Do73Cc
+9/tkVJN/5kV8SKrhMklhOp9cQ3olKkFRtI+ZSj7I/HTT9MFAAv0RDjb1EDRENv2G
+vQOQUKpokrAhGXrU2gVpP+oJI7WE2nk/8pNDPGve+f+xJ4kpjkIr33r5xl1Cj+rI
+Xfn1WJUGPNEFtNoRpVeg/FC5k8MS1j714Hdz6c/OkZBaHaURd8mhS7QsV/pq8Ttz
+T17V0m5llcUkNqkxusc6aJhOt0ghA6frF1TIo0bC3P1NY73Ni1y0w90sImzVlTCA
+2V8jBdlXjjS7n6e2WxVHUEP73uKuBX3SACjNZ3KAsVzmzf0qV7a+epwO5uK7OK7H
+JpgHnXZvzS1bmpBuxyg4rcfWuvhNbvX+FnaMJXvdNWtU/zi1T37k2tNcFWor7AQ4
+1WkmUJgCNRBqBYYzZ2fhgUDXxArrtTdU6xCzuxCVFd22SGS8FEYE/U4WPyKF6gND
+uHVGVfJ6R1HM9r/ZbEtwKoisH74r8Sncdd+ne+4H8FB5QVlbBuNZVa54rDF2BEzA
+ChO/FTH8mUk7sypnNfufpm9RRfY8z8/L/b7KpbsP/WsGPo+N6lAP3vYgKOCUxBxP
+l3J0o6GxOVIC3ZhxKgquNze9MMZBRiwgvoolRKZpPCp5kPqf2xxeLnbWfNCPjJNV
+b2PQrY0UJ/k=
+=HHW8
+-----END PGP PUBLIC KEY BLOCK-----