diff --git a/roles/sign-artifacts/README.rst b/roles/sign-artifacts/README.rst
new file mode 100644
index 000000000..870516000
--- /dev/null
+++ b/roles/sign-artifacts/README.rst
@@ -0,0 +1,22 @@
+Sign artifacts
+
+**Role Variables**
+
+.. zuul:rolevar:: gpg_key
+
+   Complex argument which contains the GPG public and secret keyrings
+   for signing the artifacts. It is expected that this argument comes
+   from a `Secret`.
+
+  .. zuul:rolevar:: pubring
+
+     The binary contents of the GPG pubring.
+
+  .. zuul:rolevar:: secring
+
+     The binary contents of the GPG secring.
+
+.. zuul:rolevar:: gpg_artifact_path
+   :default: "{{ zuul.executor.work_root }}/artifacts/"
+
+   Path to a directory containing artifacts to sign.
diff --git a/roles/sign-artifacts/defaults/main.yaml b/roles/sign-artifacts/defaults/main.yaml
new file mode 100644
index 000000000..13d037980
--- /dev/null
+++ b/roles/sign-artifacts/defaults/main.yaml
@@ -0,0 +1 @@
+gpg_sign_path: "{{ zuul.executor.work_root }}/artifacts/"
diff --git a/roles/sign-artifacts/tasks/main.yaml b/roles/sign-artifacts/tasks/main.yaml
new file mode 100644
index 000000000..a83c834cb
--- /dev/null
+++ b/roles/sign-artifacts/tasks/main.yaml
@@ -0,0 +1,26 @@
+- name: Make GPG directory
+  tempfile:
+    state: directory
+  register: gnupg_tmpdir
+
+- name: Create GPG pubring
+  copy:
+    content: "{{ gpg_key.pubring }}"
+    dest: "{{ gnupg_tmpdir.path }}/pubring.gpg"
+    mode: 0400
+
+- name: Create GPG secring
+  copy:
+    content: "{{ gpg_key.secring }}"
+    dest: "{{ gnupg_tmpdir.path }}/secring.gpg"
+    mode: 0400
+
+- name: Find files to sign
+  find:
+    paths: "{{ gpg_sign_path }}"
+  register: artifacts
+
+- name: Sign artifacts
+  command: "gpg --homedir {{ gnupg_tmpdir.path }} --armor --detach-sign {{ item.path }}"
+  with_items: "{{ artifacts.files }}"
+  when: artifacts.matched|bool