diff --git a/.github/actions/jreleaser/action.yml b/.github/actions/jreleaser/action.yml
index 3d3c901..4c42f64 100644
--- a/.github/actions/jreleaser/action.yml
+++ b/.github/actions/jreleaser/action.yml
@@ -18,38 +18,5 @@ runs:
         export JRELEASER_MAVENCENTRAL_USERNAME="foo"
         export JRELEASER_MAVENCENTRAL_TOKEN="foo"
         export JRELEASER_GENERIC_TOKEN="foo"
-        
-        export JRELEASER_GPG_PASSPHRASE="foo"
-        export JRELEASER_GPG_PUBLIC_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
 
-        mDMEaL8nuRYJKwYBBAHaRw8BAQdAWL775FzgrwDmg7muKyddMoed4k/Xb/fYly/J
-        /uDD2wy0BHRlc3SIkwQTFgoAOxYhBLcG5xXLamZFShYwTwukzlxOPrMDBQJovye5
-        AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEAukzlxOPrMDAHsBAPC+
-        eUMDlJlvQDLduN0+BGD75RENyayZONHT42H2+U+aAP9wwQBJfhCCEzY3GpeavFgz
-        4IyWZf5Wh4m2/qKPpW10B7g4BGi/J7kSCisGAQQBl1UBBQEBB0AETG4BD1cgDqs1
-        lfU9+R/ECvlY4AdiO8iqBUtuabtMZwMBCAeIeAQYFgoAIBYhBLcG5xXLamZFShYw
-        TwukzlxOPrMDBQJovye5AhsMAAoJEAukzlxOPrMDuzkA/2WXh8Wikfpx6O4xoZf0
-        2Faek9vBPZlTM7Caoeq4tSV4AQCYcg1P9BFghqhnwvrRZvdQQTx76umHLz8enbke
-        OAHfDw==
-        =/9s0
-        -----END PGP PUBLIC KEY BLOCK-----
-        "
-        export JRELEASER_GPG_SECRET_KEY="-----BEGIN PGP PRIVATE KEY BLOCK-----
-
-        lIYEaL8nuRYJKwYBBAHaRw8BAQdAWL775FzgrwDmg7muKyddMoed4k/Xb/fYly/J
-        /uDD2wz+BwMCt8L5E1VPKf77t6bLQLCI+2wjvZ44neIE4Y1VKcXo0Al8Dr3kiQ/g
-        1QU5HyRVGFjP1D4G4t3uRItcXVTkTIjS8CPEbDX9gjmKI11ofAy6U7QEdGVzdIiT
-        BBMWCgA7FiEEtwbnFctqZkVKFjBPC6TOXE4+swMFAmi/J7kCGwMFCwkIBwICIgIG
-        FQoJCAsCBBYCAwECHgcCF4AACgkQC6TOXE4+swMAewEA8L55QwOUmW9AMt243T4E
-        YPvlEQ3JrJk40dPjYfb5T5oA/3DBAEl+EIITNjcal5q8WDPgjJZl/laHibb+oo+l
-        bXQHnIsEaL8nuRIKKwYBBAGXVQEFAQEHQARMbgEPVyAOqzWV9T35H8QK+VjgB2I7
-        yKoFS25pu0xnAwEIB/4HAwJjZQiU4xs+4/szvtJM8d6hcARU5Q4Q5SZUB2AL2RCm
-        DdH6rGZUEQCu4GTkp0vdvLHv0xiBOPBbbvMbmB3o4ZY+PjhHWnPjRMq4+x9owetd
-        iHgEGBYKACAWIQS3BucVy2pmRUoWME8LpM5cTj6zAwUCaL8nuQIbDAAKCRALpM5c
-        Tj6zA7s5AP9ll4fFopH6cejuMaGX9NhWnpPbwT2ZUzOwmqHquLUleAEAmHINT/QR
-        YIaoZ8L60Wb3UEE8e+rphy8/Hp25HjgB3w8=
-        =9G5n
-        -----END PGP PRIVATE KEY BLOCK-----
-        "
-        
         ./gradlew jreleaserFullRelease --dryrun --stacktrace
diff --git a/build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/dsl/Publish.kt b/build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/dsl/Publish.kt
index a3ec697..ba7f5e9 100644
--- a/build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/dsl/Publish.kt
+++ b/build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/dsl/Publish.kt
@@ -182,7 +182,8 @@ fun Project.configureNexusPublishing(repoName: String, githubOrganization: Strin
 }
 
 /**
- * Configure publishing for this project. This applies the `maven-publish` plugin and configures publications.
+ * Configure publishing for this project. This applies the `maven-publish` and `signing` plugins and configures
+ * the publications.
  * @param repoName the repository name (e.g. `smithy-kotlin`, `aws-sdk-kotlin`, etc)
  * @param githubOrganization the name of the GitHub organization that [repoName] is located in
  */
@@ -235,6 +236,23 @@ fun Project.configurePublishing(repoName: String, githubOrganization: String = "
                 }
             }
         }
+
+        val secretKey = System.getenv(EnvironmentVariables.GPG_SECRET_KEY)
+        val passphrase = System.getenv(EnvironmentVariables.GPG_PASSPHRASE)
+
+        if (!secretKey.isNullOrBlank() && !passphrase.isNullOrBlank()) {
+            apply(plugin = "signing")
+            extensions.configure<SigningExtension> {
+                useInMemoryPgpKeys(secretKey, passphrase)
+                sign(publications)
+            }
+
+            // FIXME - workaround for https://github.com/gradle/gradle/issues/26091
+            val signingTasks = tasks.withType<Sign>()
+            tasks.withType<AbstractPublishToMaven>().configureEach {
+                mustRunAfter(signingTasks)
+            }
+        }
     }
 
     tasks.withType<AbstractPublishToMaven>().configureEach {
@@ -294,9 +312,6 @@ fun Project.configureJReleaser() {
     val requiredVariables = listOf(
         EnvironmentVariables.MAVEN_CENTRAL_USERNAME,
         EnvironmentVariables.MAVEN_CENTRAL_TOKEN,
-        EnvironmentVariables.GPG_PASSPHRASE,
-        EnvironmentVariables.GPG_PUBLIC_KEY,
-        EnvironmentVariables.GPG_SECRET_KEY,
         EnvironmentVariables.GENERIC_TOKEN,
     )
 
@@ -331,11 +346,6 @@ fun Project.configureJReleaser() {
             version = providers.gradleProperty("sdkVersion").get()
         }
 
-        signing {
-            active = Active.ALWAYS
-            armored = true
-        }
-
         // JReleaser requires a releaser to be configured even though we don't use it.
         // https://github.com/jreleaser/jreleaser/discussions/1725#discussioncomment-10674529
         release {
@@ -355,6 +365,7 @@ fun Project.configureJReleaser() {
                 mavenCentral {
                     create("maven-central") {
                         active = Active.ALWAYS // the Maven deployer default is ALWAYS, but MavenCentral is NEVER
+                        sign = false // Signing is done when publishing, see the 'configurePublishing' function
                         url = "https://central.sonatype.com/api/v1/publisher"
                         stagingRepository(rootProject.layout.buildDirectory.dir("m2").get().toString())
                         artifacts {