diff --git a/README b/README
index 0b8e510f205c7c98fabbd676ba959d6cb024dc58..2c36d74c760c5d0a3fc82dd1313b9b1b536e4aa2 100644
--- a/README
+++ b/README
@@ -149,6 +149,15 @@ the build files in the tor-browser-builds/ directory (unless you changed
 the publish_dir option).
 
 
+Signing builds
+--------------
+
+If the environment variable RBM_SIGN_BUILD is set to 1, the
+sha256sums-unsigned-build.txt file will be signed with gpg.
+You can use the RBM_GPG_OPTS environment variable to add some options
+to the gpg command used to sign the file.
+
+
 Cleaning obsolete files and containers images
 ---------------------------------------------
 
diff --git a/projects/release/config b/projects/release/config
index 09b4c0e7f9cca18112ab635994fad76df481d55e..daa78ddd47c086aa775719b8b3ddae70f752dac2 100644
--- a/projects/release/config
+++ b/projects/release/config
@@ -125,4 +125,7 @@ build: |
   [% END -%]
   cd "$destdir"
   sha256sum $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip | grep -v '\.incremental\.mar$' | sort) > sha256sums-unsigned-build.txt
+  [% IF ENV.RBM_SIGN_BUILD -%]
+    gpg -abs [% ENV.RBM_GPG_OPTS %] sha256sums-unsigned-build.txt
+  [% END -%]
   cat sha256sums-unsigned-build.txt