diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b2c1a8d..50e37c3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,13 +24,13 @@ jobs:
           - "arm64"
         include:
           - arch: "srcrpm"
-            upload-script: "upload-srcrpm-repo"
+            upload-script: "sign-and-upload"
             build: "x86_64-amd64"
           - arch: "amd64"
-            upload-script: "upload-repo"
+            upload-script: "sign-and-upload"
             build: "x86_64-amd64"
           - arch: "arm64"
-            upload-script: "upload-repo"
+            upload-script: "sign-and-upload"
             build: "aarch64-arm64"
     steps:
       - name: Checkout
@@ -69,28 +69,15 @@ jobs:
           TESTING_AWS_SECRET_ACCESS_KEY: ${{ env.TESTING_AWS_SECRET_ACCESS_KEY }}
         run: |
           dapper -f Dockerfile.${{ matrix.os }}.dapper rpm/${{ matrix.os }}/scripts/build
-      - name: Sign
+      - name: Sign and upload to S3
         env:
           TAG: ${{ github.ref_name }}
+          COMBARCH: ${{ matrix.build }}
+          UPLOAD_ARCH: ${{ matrix.arch }}
           PRIVATE_KEY: ${{ env.PRIVATE_KEY }}
           PRIVATE_KEY_PASS_PHRASE: ${{ env.PRIVATE_KEY_PASS_PHRASE }}
           TESTING_PRIVATE_KEY: ${{ env.TESTING_PRIVATE_KEY }}
           TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ env.TESTING_PRIVATE_KEY_PASS_PHRASE }}
-        run: |
-          docker run --rm \
-            -v "$(pwd):/workspace" \
-            -w /workspace \
-            -e TAG="$TAG" \
-            -e PRIVATE_KEY="$PRIVATE_KEY" \
-            -e PRIVATE_KEY_PASS_PHRASE="$PRIVATE_KEY_PASS_PHRASE" \
-            -e TESTING_PRIVATE_KEY="$TESTING_PRIVATE_KEY" \
-            -e TESTING_PRIVATE_KEY_PASS_PHRASE="$TESTING_PRIVATE_KEY_PASS_PHRASE" \
-            centos:7 \
-            rpm/${{ matrix.os }}/scripts/sign
-      - name: Upload to S3
-        env:
-          TAG: ${{ github.ref_name }}
-          COMBARCH: ${{ matrix.build }}
           AWS_S3_BUCKET: ${{ env.AWS_S3_BUCKET }}
           AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
@@ -102,14 +89,19 @@ jobs:
             -v "$(pwd):/workspace" \
             -w /workspace \
             -e TAG="$TAG" \
+            -e PRIVATE_KEY="$PRIVATE_KEY" \
+            -e PRIVATE_KEY_PASS_PHRASE="$PRIVATE_KEY_PASS_PHRASE" \
+            -e TESTING_PRIVATE_KEY="$TESTING_PRIVATE_KEY" \
+            -e TESTING_PRIVATE_KEY_PASS_PHRASE="$TESTING_PRIVATE_KEY_PASS_PHRASE" \
             -e COMBARCH="$COMBARCH" \
+            -e UPLOAD_ARCH="$UPLOAD_ARCH" \
             -e AWS_S3_BUCKET="$AWS_S3_BUCKET" \
             -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
             -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
             -e TESTING_AWS_S3_BUCKET="$TESTING_AWS_S3_BUCKET" \
             -e TESTING_AWS_ACCESS_KEY_ID="$TESTING_AWS_ACCESS_KEY_ID" \
             -e TESTING_AWS_SECRET_ACCESS_KEY="$TESTING_AWS_SECRET_ACCESS_KEY" \
-            centos:7 \
+            quay.io/centos/centos:stream9 \
             rpm/${{ matrix.os }}/scripts/${{ matrix.upload-script }}
       - name: Checksum
         run: |
diff --git a/rpm/centos7/scripts/sign-and-upload b/rpm/centos7/scripts/sign-and-upload
new file mode 100644
index 0000000..f0875cc
--- /dev/null
+++ b/rpm/centos7/scripts/sign-and-upload
@@ -0,0 +1,106 @@
+#!/bin/bash
+set -e -x
+
+dnf install -y epel-release wget
+
+dnf install -y python3 python3-pip python3-devel \
+  rpm-sign expect git
+
+dnf install -y ca-certificates createrepo_c
+
+pip install --upgrade boto3 pexpect
+
+pushd $(dirname $0)/..
+. ./scripts/version
+popd
+
+cat <<\EOF >~/.rpmmacros
+%_signature gpg
+%_gpg_name ci@rancher.com
+%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+%_source_filedigest_algorithm 8
+%_binary_filedigest_algorithm 8
+EOF
+
+if [ -z "$COMBARCH" ]; then
+  echo "Combined architecture was not defined, failing RPM upload"
+  exit 1
+fi
+
+if [ -z "$RPM_MAJMIN" ]; then
+  echo "RPM_MAJMIN not defined, failing rpm upload"
+  exit 1
+fi
+
+if [ -z "$RPM_CHANNEL" ]; then
+  echo "RPM_PATH not defined, failing rpm upload"
+  exit 1
+fi
+
+IFS=- read RPMARCH GOARCH <<<${COMBARCH}
+unset IFS
+
+# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>
+
+TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/7/$RPMARCH"
+TARGET_RPM_PATH="dist/centos7/$RPMARCH/rke2-*.rpm"
+
+if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
+  TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/7/source"
+  TARGET_RPM_PATH="dist/centos7/source/rke2-*.src.rpm"
+
+case "$RPM_CHANNEL" in
+"testing")
+  export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
+    echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$TESTING_PRIVATE_KEY"
+  if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
+    echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
+    echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
+    echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
+  export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
+  export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
+  ;;
+
+"latest" | "stable")
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
+    echo "PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$PRIVATE_KEY"
+  if [ -z "$AWS_S3_BUCKET" ]; then
+    echo "AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_ACCESS_KEY_ID" ]; then
+    echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  ;;
+*)
+  echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
+  exit 1
+  ;;
+esac
+
+wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
+chmod +x rpm_tooling
+mv ./rpm_tooling /usr/bin
+
+rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH
diff --git a/rpm/centos8/scripts/sign-and-upload b/rpm/centos8/scripts/sign-and-upload
new file mode 100644
index 0000000..e5d7d75
--- /dev/null
+++ b/rpm/centos8/scripts/sign-and-upload
@@ -0,0 +1,106 @@
+#!/bin/bash
+set -e -x
+
+dnf install -y epel-release wget
+
+dnf install -y python3 python3-pip python3-devel \
+  rpm-sign expect git
+
+dnf install -y ca-certificates createrepo_c
+
+pip install --upgrade boto3 pexpect
+
+pushd $(dirname $0)/..
+. ./scripts/version
+popd
+
+cat <<\EOF >~/.rpmmacros
+%_signature gpg
+%_gpg_name ci@rancher.com
+%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+%_source_filedigest_algorithm 8
+%_binary_filedigest_algorithm 8
+EOF
+
+if [ -z "$COMBARCH" ]; then
+  echo "Combined architecture was not defined, failing RPM upload"
+  exit 1
+fi
+
+if [ -z "$RPM_MAJMIN" ]; then
+  echo "RPM_MAJMIN not defined, failing rpm upload"
+  exit 1
+fi
+
+if [ -z "$RPM_CHANNEL" ]; then
+  echo "RPM_PATH not defined, failing rpm upload"
+  exit 1
+fi
+
+IFS=- read RPMARCH GOARCH <<<${COMBARCH}
+unset IFS
+
+# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>
+
+TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/8/$RPMARCH"
+TARGET_RPM_PATH="dist/centos7/$RPMARCH/rke2-*.rpm"
+
+if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
+  TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/8/source"
+  TARGET_RPM_PATH="dist/centos8/source/rke2-*.src.rpm"
+
+case "$RPM_CHANNEL" in
+"testing")
+  export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
+    echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$TESTING_PRIVATE_KEY"
+  if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
+    echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
+    echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
+    echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
+  export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
+  export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
+  ;;
+
+"latest" | "stable")
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
+    echo "PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$PRIVATE_KEY"
+  if [ -z "$AWS_S3_BUCKET" ]; then
+    echo "AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_ACCESS_KEY_ID" ]; then
+    echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  ;;
+*)
+  echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
+  exit 1
+  ;;
+esac
+
+wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
+chmod +x rpm_tooling
+mv ./rpm_tooling /usr/bin
+
+rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH
diff --git a/rpm/centos9/scripts/sign-and-upload b/rpm/centos9/scripts/sign-and-upload
new file mode 100644
index 0000000..c340903
--- /dev/null
+++ b/rpm/centos9/scripts/sign-and-upload
@@ -0,0 +1,107 @@
+#!/bin/bash
+set -e -x
+
+dnf install -y epel-release wget
+
+dnf install -y python3 python3-pip python3-devel \
+  rpm-sign expect git
+
+dnf install -y ca-certificates createrepo_c
+
+pip install --upgrade boto3 pexpect
+
+pushd $(dirname $0)/..
+. ./scripts/version
+popd
+
+cat <<\EOF >~/.rpmmacros
+%_signature gpg
+%_gpg_name ci@rancher.com
+%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+%_source_filedigest_algorithm 8
+%_binary_filedigest_algorithm 8
+EOF
+
+if [ -z "$COMBARCH" ]; then
+  echo "Combined architecture was not defined, failing RPM upload"
+  exit 1
+fi
+
+if [ -z "$RPM_MAJMIN" ]; then
+  echo "RPM_MAJMIN not defined, failing rpm upload"
+  exit 1
+fi
+
+if [ -z "$RPM_CHANNEL" ]; then
+  echo "RPM_PATH not defined, failing rpm upload"
+  exit 1
+fi
+
+IFS=- read RPMARCH GOARCH <<<${COMBARCH}
+unset IFS
+
+# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>
+
+TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/9/$RPMARCH"
+TARGET_RPM_PATH="dist/centos9/$RPMARCH/rke2-*.rpm"
+
+if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
+  TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/9/source"
+  TARGET_RPM_PATH="dist/centos9/source/rke2-*.src.rpm"
+
+case "$RPM_CHANNEL" in
+"testing")
+  export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
+    echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$TESTING_PRIVATE_KEY"
+  if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
+    echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
+    echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
+    echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
+  export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
+  export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
+  ;;
+
+"latest" | "stable")
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
+    echo "PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$PRIVATE_KEY"
+  if [ -z "$AWS_S3_BUCKET" ]; then
+    echo "AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_ACCESS_KEY_ID" ]; then
+    echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  ;;
+*)
+  echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
+  exit 1
+  ;;
+esac
+
+wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
+chmod +x rpm_tooling
+mv ./rpm_tooling /usr/bin
+
+rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH
+
diff --git a/rpm/microos/scripts/sign-and-upload b/rpm/microos/scripts/sign-and-upload
new file mode 100644
index 0000000..d50cf14
--- /dev/null
+++ b/rpm/microos/scripts/sign-and-upload
@@ -0,0 +1,106 @@
+#!/bin/bash
+set -e -x
+
+dnf install -y epel-release wget
+
+dnf install -y python3 python3-pip python3-devel \
+  rpm-sign expect git
+
+dnf install -y ca-certificates createrepo_c
+
+pip install --upgrade boto3 pexpect
+
+pushd $(dirname $0)/..
+. ./scripts/version
+popd
+
+cat <<\EOF >~/.rpmmacros
+%_signature gpg
+%_gpg_name ci@rancher.com
+%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+%_source_filedigest_algorithm 8
+%_binary_filedigest_algorithm 8
+EOF
+
+if [ -z "$COMBARCH" ]; then
+  echo "Combined architecture was not defined, failing RPM upload"
+  exit 1
+fi
+
+if [ -z "$RPM_MAJMIN" ]; then
+  echo "RPM_MAJMIN not defined, failing rpm upload"
+  exit 1
+fi
+
+if [ -z "$RPM_CHANNEL" ]; then
+  echo "RPM_PATH not defined, failing rpm upload"
+  exit 1
+fi
+
+IFS=- read RPMARCH GOARCH <<<${COMBARCH}
+unset IFS
+
+# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>
+
+TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/microos/$RPMARCH"
+TARGET_RPM_PATH="dist/microos/$RPMARCH/rke2-*.rpm"
+
+if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
+  TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/microos/source"
+  TARGET_RPM_PATH="dist/microos/source/rke2-*.src.rpm"
+
+case "$RPM_CHANNEL" in
+"testing")
+  export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
+    echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$TESTING_PRIVATE_KEY"
+  if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
+    echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
+    echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
+    echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
+  export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
+  export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
+  ;;
+
+"latest" | "stable")
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
+    echo "PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$PRIVATE_KEY"
+  if [ -z "$AWS_S3_BUCKET" ]; then
+    echo "AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_ACCESS_KEY_ID" ]; then
+    echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  ;;
+*)
+  echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
+  exit 1
+  ;;
+esac
+
+wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
+chmod +x rpm_tooling
+mv ./rpm_tooling /usr/bin
+
+rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH
diff --git a/rpm/slemicro/scripts/sign-and-upload b/rpm/slemicro/scripts/sign-and-upload
new file mode 100644
index 0000000..b000463
--- /dev/null
+++ b/rpm/slemicro/scripts/sign-and-upload
@@ -0,0 +1,107 @@
+#!/bin/bash
+set -e -x
+
+dnf install -y epel-release wget
+
+dnf install -y python3 python3-pip python3-devel \
+  rpm-sign expect git
+
+dnf install -y ca-certificates createrepo_c
+
+pip install --upgrade boto3 pexpect
+
+pushd $(dirname $0)/..
+. ./scripts/version
+popd
+
+cat <<\EOF >~/.rpmmacros
+%_signature gpg
+%_gpg_name ci@rancher.com
+%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+%_source_filedigest_algorithm 8
+%_binary_filedigest_algorithm 8
+EOF
+
+if [ -z "$COMBARCH" ]; then
+  echo "Combined architecture was not defined, failing RPM upload"
+  exit 1
+fi
+
+if [ -z "$RPM_MAJMIN" ]; then
+  echo "RPM_MAJMIN not defined, failing rpm upload"
+  exit 1
+fi
+
+if [ -z "$RPM_CHANNEL" ]; then
+  echo "RPM_PATH not defined, failing rpm upload"
+  exit 1
+fi
+
+IFS=- read RPMARCH GOARCH <<<${COMBARCH}
+unset IFS
+
+# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>
+
+TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/slemicro/$RPMARCH"
+TARGET_RPM_PATH="dist/slemicro/$RPMARCH/rke2-*.rpm"
+
+if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
+  TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/slemicro/source"
+  TARGET_RPM_PATH="dist/slemicro/source/rke2-*.src.rpm"
+
+
+case "$RPM_CHANNEL" in
+"testing")
+  export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
+    echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$TESTING_PRIVATE_KEY"
+  if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
+    echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
+    echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
+    echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
+  export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
+  export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
+  ;;
+
+"latest" | "stable")
+  if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
+    echo "PRIVATE_KEY not defined, failing rpm sign"
+    exit 1
+  fi
+  gpg --import - <<<"$PRIVATE_KEY"
+  if [ -z "$AWS_S3_BUCKET" ]; then
+    echo "AWS_S3_BUCKET not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_ACCESS_KEY_ID" ]; then
+    echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
+    exit 1
+  fi
+  if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
+    exit 1
+  fi
+  ;;
+*)
+  echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
+  exit 1
+  ;;
+esac
+
+wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
+chmod +x rpm_tooling
+mv ./rpm_tooling /usr/bin
+
+rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH