diff --git a/pkg/build/config.go b/pkg/build/config.go
index d3e02b4b..5c6fb415 100644
--- a/pkg/build/config.go
+++ b/pkg/build/config.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/host-uk/core/pkg/build/signing"
 	"gopkg.in/yaml.v3"
 )
 
@@ -27,6 +28,8 @@ type BuildConfig struct {
 	Build Build `yaml:"build"`
 	// Targets defines the build targets.
 	Targets []TargetConfig `yaml:"targets"`
+	// Sign contains code signing configuration.
+	Sign signing.SignConfig `yaml:"sign,omitempty"`
 }
 
 // Project holds project metadata.
@@ -109,6 +112,7 @@ func DefaultConfig() *BuildConfig {
 			{OS: "darwin", Arch: "arm64"},
 			{OS: "windows", Arch: "amd64"},
 		},
+		Sign: signing.DefaultSignConfig(),
 	}
 }
 
@@ -139,6 +143,9 @@ func applyDefaults(cfg *BuildConfig) {
 	if len(cfg.Targets) == 0 {
 		cfg.Targets = defaults.Targets
 	}
+
+	// Expand environment variables in sign config
+	cfg.Sign.ExpandEnv()
 }
 
 // ConfigPath returns the path to the build config file for a given directory.
diff --git a/pkg/build/config_test.go b/pkg/build/config_test.go
index d12440fc..2723ce7a 100644
--- a/pkg/build/config_test.go
+++ b/pkg/build/config_test.go
@@ -233,6 +233,41 @@ func TestConfigExists_Good(t *testing.T) {
 	})
 }
 
+func TestLoadConfig_Good_SignConfig(t *testing.T) {
+	tmpDir := t.TempDir()
+	coreDir := filepath.Join(tmpDir, ".core")
+	os.MkdirAll(coreDir, 0755)
+
+	configContent := `version: 1
+sign:
+  enabled: true
+  gpg:
+    key: "ABCD1234"
+  macos:
+    identity: "Developer ID Application: Test"
+    notarize: true
+`
+	os.WriteFile(filepath.Join(coreDir, "build.yaml"), []byte(configContent), 0644)
+
+	cfg, err := LoadConfig(tmpDir)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if !cfg.Sign.Enabled {
+		t.Error("expected Sign.Enabled to be true")
+	}
+	if cfg.Sign.GPG.Key != "ABCD1234" {
+		t.Errorf("expected GPG.Key 'ABCD1234', got %q", cfg.Sign.GPG.Key)
+	}
+	if cfg.Sign.MacOS.Identity != "Developer ID Application: Test" {
+		t.Errorf("expected MacOS.Identity, got %q", cfg.Sign.MacOS.Identity)
+	}
+	if !cfg.Sign.MacOS.Notarize {
+		t.Error("expected MacOS.Notarize to be true")
+	}
+}
+
 func TestBuildConfig_ToTargets_Good(t *testing.T) {
 	t.Run("converts TargetConfig to Target", func(t *testing.T) {
 		cfg := &BuildConfig{