diff --git a/.woodpecker/ci.yaml b/.woodpecker/ci.yaml
index 3099d84..606a477 100644
--- a/.woodpecker/ci.yaml
+++ b/.woodpecker/ci.yaml
@@ -6,6 +6,17 @@ when:
 
 steps:
   check:
-    image: docker.io/nixpkgs/nix-flakes:nixos-24.05
+    image: docker.io/nixpkgs/nix-flakes:nixos-25.05
     commands:
       - nix flake check
+
+  sign:
+    image: docker.io/nixpkgs/nix-flakes:nixos-25.05
+    environment:
+        DB_KEY:
+          from_secret: secure_boot_key
+        DB_CRT:
+          from_secret: secure_boot_crt
+    commands:
+      - ./scripts/sign-release.sh
+
diff --git a/flake.nix b/flake.nix
index 7648b8b..e5f4787 100644
--- a/flake.nix
+++ b/flake.nix
@@ -80,8 +80,11 @@
 
       devShells.${system}.default = pkgs.mkShell {
         buildInputs = with pkgs; [
+          efitools
           erofs-utils
           just
+          openssl
+          sbsigntool
           self.packages.${system}.qemu-uefi-tpm
           squashfs-tools-ng
         ];
diff --git a/keys/DB.auth b/keys/DB.auth
new file mode 100644
index 0000000..d8ce304
Binary files /dev/null and b/keys/DB.auth differ
diff --git a/keys/KEK.auth b/keys/KEK.auth
new file mode 100644
index 0000000..1e01cd3
Binary files /dev/null and b/keys/KEK.auth differ
diff --git a/keys/PK.auth b/keys/PK.auth
new file mode 100644
index 0000000..77ce10f
Binary files /dev/null and b/keys/PK.auth differ
diff --git a/modules/image/builder.nix b/modules/image/builder.nix
index f510fe7..65dc08a 100644
--- a/modules/image/builder.nix
+++ b/modules/image/builder.nix
@@ -76,6 +76,7 @@ let
       contents = {
         "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
         "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+        "/EFI/loader/keys/patos".source = ../../keys;
         "/EFI/memtest86/memtest86.efi".source = "${pkgs.memtest86plus}/memtest.efi";
         "/loader/entries/patos-factory-reset.conf".source = pkgs.writeText "patos-factory-reset.conf" ''
             title Patos Factory Reset
diff --git a/scripts/sbkeys b/scripts/sbkeys
new file mode 100755
index 0000000..a24e215
--- /dev/null
+++ b/scripts/sbkeys
@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+# Copyright (c) 2015 by Roderick W. Smith
+# Copyright (c) 2020 Corey Hinshaw
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+[ -n "${DEBUG}" ] && set -x
+set -e
+
+usage() {
+  cat <<EOF
+Usage: sbkeys [OPTION]...
+Generate secure boot keys
+
+Options:
+  -h      Print this help text
+  -m      Generate signature database entries for Microsoft certificates
+EOF
+}
+
+generate_keys() {
+  # Do not create new keys if key files already exist
+  KEYS=(
+    PK.key PK.crt PK.cer PK.esl PK.auth
+    KEK.key KEK.crt KEK.cer KEK.esl KEK.auth
+    DB.key DB.crt DB.cer DB.esl DB.auth
+    noPK.esl noPK.auth
+    myGUID.txt
+  )
+  for file in ${KEYS[@]}; do
+    if [ -f ${file} ]; then
+      echo "Skipping key generation: keys already exist in $(pwd)"
+      return
+    fi
+  done
+
+  echo -n "Enter a Common Name to embed in the keys: "
+  read NAME
+
+  # Platform key
+  openssl req -new -x509 \
+      -subj "/CN=${NAME} PK/" -days 3650 -nodes \
+      -newkey rsa:2048 -sha256 \
+      -keyout PK.key -out PK.crt
+  openssl x509 -in PK.crt -out PK.cer -outform DER
+
+  # Key exchange key
+  openssl req -new -x509 \
+      -subj "/CN=${NAME} KEK/" -days 3650 -nodes \
+      -newkey rsa:2048 -sha256 \
+      -keyout KEK.key -out KEK.crt
+  openssl x509 -in KEK.crt -out KEK.cer -outform DER
+
+  # Signature database
+  openssl req -new -x509 \
+      -subj "/CN=${NAME} DB/" -days 3650 -nodes \
+      -newkey rsa:2048 -sha256 \
+      -keyout DB.key -out DB.crt
+  openssl x509 -in DB.crt -out DB.cer -outform DER
+
+  GUID="$(uuidgen -r)"
+  echo ${GUID} > myGUID.txt
+
+  cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl
+  cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl
+  cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl
+  rm -f noPK.esl
+  touch noPK.esl
+
+  sign-efi-sig-list \
+      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+      -k PK.key -c PK.crt \
+      PK PK.esl PK.auth
+  sign-efi-sig-list \
+      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+      -k PK.key -c PK.crt \
+      PK noPK.esl noPK.auth
+  sign-efi-sig-list \
+      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+      -k PK.key -c PK.crt \
+      KEK KEK.esl KEK.auth
+  sign-efi-sig-list \
+      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+      -k KEK.key -c KEK.crt \
+      DB DB.esl DB.auth
+
+  chmod 0600 *.key
+}
+
+generate_ms_db() {
+  msguid=77fa9abd-0359-4d32-bd60-28f4e78f784b
+
+  msdb="MS_db.esl add_MS_db.auth"
+  for file in $msdb; do
+    if [ -f $file ]; then
+      echo "Microsoft signature lists already exist in $(pwd)"
+      return
+    fi
+  done
+
+  wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
+  wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
+
+  sbsiglist --owner "$msguid" --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
+  sbsiglist --owner "$msguid" --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
+  cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
+  sign-efi-sig-list -a -g "$msguid" -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth
+
+  rm MS_Win_db.esl MS_UEFI_db.esl MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt
+}
+
+mskeys=0
+
+while getopts ":hm" opt; do
+  case $opt in
+    h)
+      usage
+      cat <<EOF
+
+For use with KeyTool, copy the *.auth and *.esl files to a FAT USB
+flash drive or to your EFI System Partition (ESP).
+For use with most UEFIs' built-in key managers, copy the *.cer files.
+
+To add Microsoft's certificates use KeyTool or UEFI to append
+add_MS_db.auth to the signature database.
+EOF
+      exit 0
+      ;;
+    m)
+      mskeys=1
+      ;;
+    \?)
+      echo "Invalid option: -$OPTARG" >&2
+      usage >&2
+      exit 1
+      ;;
+   esac
+done
+
+generate_keys
+if [ $mskeys -eq 1 ]; then
+  generate_ms_db
+fi
diff --git a/scripts/sign-release.sh b/scripts/sign-release.sh
new file mode 100755
index 0000000..0de9aed
--- /dev/null
+++ b/scripts/sign-release.sh
@@ -0,0 +1,19 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p efitools
+
+set -eux
+
+mkdir signed
+cp -L result/* signed/
+
+loopdev=$(sudo losetup -f)
+sudo losetup -P "$loopdev" signed/*.img
+sudo mount "${loopdev}p1" /mnt -t vfat
+
+sudo find signed/ /mnt/ -name "*.efi" -type f -exec sbsign --key <(echo "$DB_KEY") --cert <(echo "$DB_CRT") --output {} {} \;
+
+sudo mkdir -p /mnt/loader/keys/patos
+sudo cp keys/*.auth /mnt/loader/keys/patos/
+
+sudo umount /mnt
+sudo losetup -d "$loopdev"