diff --git a/playbooks/albs_with_separate_build_node.yml b/playbooks/albs_with_separate_build_node.yml
index 7dbe8af..a575ccb 100644
--- a/playbooks/albs_with_separate_build_node.yml
+++ b/playbooks/albs_with_separate_build_node.yml
@@ -13,5 +13,6 @@
     - separate_build_node
   tags:
     - build-node-deploy
+    - pesign
   connection: "{{ 'local' if use_local_connection else 'ssh' }}"
 ...
diff --git a/roles/separate_build_node/defaults/main/common.yml b/roles/separate_build_node/defaults/main/common.yml
index 2dcdd92..c5243a8 100644
--- a/roles/separate_build_node/defaults/main/common.yml
+++ b/roles/separate_build_node/defaults/main/common.yml
@@ -9,7 +9,10 @@ service_group: albs-builder
 build_node_working_directory: "{{ home_dir }}/albs"
 build_node_venv_directory: "{{ home_dir }}/.builder-venv"
 build_node_requirements_path: "{{ build_node_working_directory }}/albs-node/requirements.txt"
+pesign_dir_path: "/opt/pesign"
 powertools_repository_name: crb
+rpm_sign_server_base: ""
+rpm_sign_jwt: ""
 working_directories:
   - "{{ base_work_dir }}"
   - "{{ build_node_working_directory }}"
diff --git a/roles/separate_build_node/defaults/main/dnf.yml b/roles/separate_build_node/defaults/main/dnf.yml
index aa30d5f..6936131 100644
--- a/roles/separate_build_node/defaults/main/dnf.yml
+++ b/roles/separate_build_node/defaults/main/dnf.yml
@@ -5,7 +5,6 @@ build_node_dnf_packages:
   - "cmake"
   - "cpio"
   - "createrepo_c"
-  - "ef2sprogs"
   - "fedpkg"
   - "gcc"
   - "gcc-c++"
@@ -13,6 +12,9 @@ build_node_dnf_packages:
   - "htop"
   - "kernel-rpm-macros"
   - "keyrings-filesystem"
+  - "libcurl-devel"
+  - "rustc"
+  - "cargo"
   - "libicu"
   - "libicu-devel"
   - "mc"
@@ -29,4 +31,5 @@ build_node_dnf_packages:
   - "tree"
   - "ubu-keyring"
   - "xmlsec1-openssl-devel"
+  - "rsyslog-logrotate"
 ...
diff --git a/roles/separate_build_node/tasks/create_env.yml b/roles/separate_build_node/tasks/create_env.yml
index 7ed19e0..2ae930b 100644
--- a/roles/separate_build_node/tasks/create_env.yml
+++ b/roles/separate_build_node/tasks/create_env.yml
@@ -55,4 +55,6 @@
   ansible.builtin.pip:
     requirements: "{{ build_node_requirements_path }}"
     virtualenv: "{{ build_node_venv_directory }}"
+  tags:
+    - update-env
 ...
diff --git a/roles/separate_build_node/tasks/dnf.yml b/roles/separate_build_node/tasks/dnf.yml
index bb1a5eb..39841e1 100644
--- a/roles/separate_build_node/tasks/dnf.yml
+++ b/roles/separate_build_node/tasks/dnf.yml
@@ -26,6 +26,7 @@
     gpgcheck: no
 
 - name: Install required system packages packages
+  become: yes
   ansible.builtin.dnf:
     name: "{{ build_node_dnf_packages }}"
     state: latest
diff --git a/roles/separate_build_node/tasks/main.yml b/roles/separate_build_node/tasks/main.yml
index 6f369d5..302e1dd 100644
--- a/roles/separate_build_node/tasks/main.yml
+++ b/roles/separate_build_node/tasks/main.yml
@@ -4,5 +4,7 @@
     - include_tasks: dnf.yml
     - include_tasks: common.yml
     - include_tasks: create_env.yml
+    - include_tasks: pesign.yml
+      tags: pesign
     - include_tasks: install_systemd_service.yml
 ...
diff --git a/roles/separate_build_node/tasks/pesign.yml b/roles/separate_build_node/tasks/pesign.yml
new file mode 100644
index 0000000..db78d4b
--- /dev/null
+++ b/roles/separate_build_node/tasks/pesign.yml
@@ -0,0 +1,62 @@
+---
+
+- name: Create pesign dir
+  ansible.builtin.file:
+    path: "{{ pesign_dir_path }}"
+    state: directory
+    recurse: yes
+    owner: root
+    group: root
+
+- name: Create modsign script
+  ansible.builtin.template:
+    dest: "{{ pesign_dir_path }}/modsign"
+    src: modsign.j2
+    group: root
+    owner: root
+    mode: 0755
+
+- name: Create pesign script
+  ansible.builtin.template:
+    dest: "{{ pesign_dir_path }}/pesign"
+    src: pesign.j2
+    group: root
+    owner: root
+    mode: 0755
+
+- name: Create pesign-client script
+  ansible.builtin.template:
+    dest: "{{ pesign_dir_path }}/pesign-client"
+    src: pesign-client.j2
+    group: root
+    owner: root
+    mode: 0755
+
+- name: Deploy rpm-sign config
+  ansible.builtin.template:
+    dest: "{{ pesign_dir_path }}/rpm-sign.conf"
+    src: rpm-sign.conf.j2
+    owner: root
+    group: mock
+    mode: "0640"
+
+- name: Deploy rpm-sign certificates and key
+  ansible.builtin.template:
+    dest: "{{ pesign_dir_path }}/{{ item }}"
+    src: "{{ item }}"
+    owner: root
+    group: mock
+    mode: "0640"
+  loop:
+    - rpm-sign-server.pem
+    - rpm-sign.key
+    - rpm-sign.pem
+
+- name: Deploy rpm-sign.local script
+  ansible.builtin.template:
+    dest: "{{ pesign_dir_path }}/rpm-sign.local"
+    src: rpm-sign.local
+    owner: root
+    group: mock
+    mode: "0750"
+...
diff --git a/roles/separate_build_node/templates/modsign.j2 b/roles/separate_build_node/templates/modsign.j2
new file mode 100644
index 0000000..cbad1e3
--- /dev/null
+++ b/roles/separate_build_node/templates/modsign.j2
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+SERVER="{{ alma_pesign_server }}/sign_module/"
+
+JWT="{{ pesign_jwt_token }}"
+
+curl -s --fail -X POST -H "os: $1" -H "Content-Type: multipart/form-data" -H "Cookie: JWT=${JWT}" -F "input_file=@$2" --output "$2" ${SERVER}
diff --git a/roles/separate_build_node/templates/pesign-client.j2 b/roles/separate_build_node/templates/pesign-client.j2
new file mode 100644
index 0000000..df5b6ba
--- /dev/null
+++ b/roles/separate_build_node/templates/pesign-client.j2
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+JWT="{{ pesign_jwt_token }}"
+
+while [[ $# -gt 0 ]]; do
+  key="$1"
+
+  case $key in
+    -t)
+      sign_token="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -c)
+      sign_cert="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -i)
+      input_file="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -o)
+      output_file="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -e)
+      output_sattr="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -s)
+      shift # past argument
+      ;;
+    -C)
+      export_cert="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    --certdir)
+      certdir="$2"
+      shift # past argument
+      shift # past value
+      ;;
+  esac
+done
+
+if [ "${sign_token}" == "AlmaLinux OS Foundation" ]; then
+    SERVER="{{ alma_pesign_server }}/sign_efi/"
+else
+    SERVER="{{ common_pesign_server }}/sign_efi/"
+fi
+
+curl -s --fail -X POST -H "sign_token: ${sign_token}" -H "sign_cert: ${sign_cert}" -H "Content-Type: multipart/form-data" -H "Cookie: JWT=${JWT}" -F "input_file=@${input_file}" --output "${output_file}" ${SERVER}
diff --git a/roles/separate_build_node/templates/pesign.j2 b/roles/separate_build_node/templates/pesign.j2
new file mode 100644
index 0000000..df5b6ba
--- /dev/null
+++ b/roles/separate_build_node/templates/pesign.j2
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+JWT="{{ pesign_jwt_token }}"
+
+while [[ $# -gt 0 ]]; do
+  key="$1"
+
+  case $key in
+    -t)
+      sign_token="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -c)
+      sign_cert="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -i)
+      input_file="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -o)
+      output_file="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -e)
+      output_sattr="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -s)
+      shift # past argument
+      ;;
+    -C)
+      export_cert="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    --certdir)
+      certdir="$2"
+      shift # past argument
+      shift # past value
+      ;;
+  esac
+done
+
+if [ "${sign_token}" == "AlmaLinux OS Foundation" ]; then
+    SERVER="{{ alma_pesign_server }}/sign_efi/"
+else
+    SERVER="{{ common_pesign_server }}/sign_efi/"
+fi
+
+curl -s --fail -X POST -H "sign_token: ${sign_token}" -H "sign_cert: ${sign_cert}" -H "Content-Type: multipart/form-data" -H "Cookie: JWT=${JWT}" -F "input_file=@${input_file}" --output "${output_file}" ${SERVER}
diff --git a/roles/separate_build_node/templates/rpm-sign-server.pem b/roles/separate_build_node/templates/rpm-sign-server.pem
new file mode 100644
index 0000000..22829b4
--- /dev/null
+++ b/roles/separate_build_node/templates/rpm-sign-server.pem
@@ -0,0 +1,99 @@
+$ANSIBLE_VAULT;1.1;AES256
+37306161666664383239373261363033313034623762383866393061303330656564663332363330
+6561353031376263656631356538656137633936633330650a313962396339346332376533626539
+36376363363533303337303334633336393264313730306563356263303237653964616565333233
+3032333137323437630a316531386361343231656437316563386565336533623639323538656634
+39353861336235336639646639653137346262393161333334353135383032333163373561623431
+66383262663136343635646335616264363037313335613536306166643230666237626433323139
+66306633653930313539356338303461376133373632633965303735636631356439636465376262
+34376232633634383062303138656634653666656430333962373031346164333937626630616636
+31656430363263363830313930356566323432306133666464396261653837316661663163313565
+36616534323263313864343033623338616535346534623266653035313239343435376139353439
+61636533363362633531396261306337386535613065666239656630633364643963626663373766
+64336562336163613432353231313265663733643165326335366236373233373933663638353166
+62656539366263326137393738613366396237303139386239353135656539633464316561323131
+30363538346235396136396564643232353466383137626362653733626334373536346163376339
+35656439613934313963653432663936623964666537396462336137656639653163633937323435
+66633365346535323964383661646130636430373662623231353136323133326566613961336463
+34366136343332666264303562333162396337643439646364653737326161356566373266653463
+61336365343561626663383233643130313830343864363833666262336466366138363763333336
+63653137386331356138323431643966356462316538316261303366663061366431656266663265
+66626263666236333737366539623239346436356138613366343038363034383638656636613164
+62383038613462373562333139306232646433363930613062316236613863393430396635353164
+37303065356636363562396366396162643063666361633830306237626362623638316135343837
+66373761393666306639346433363835336633316135306366656632356266393435353464366565
+39363335653537643863346634643363383333333761613436663361666635623439353762393036
+32333763653262346266376436326431393038303966656166653239373830353265393330353463
+65316162626662303132346133623830313136386535376136333962373466343464353530633834
+39626462643230626334653739366364643836333332633965313137323235376538643335366338
+32626330313265316537313163643165313434663338623663623666396631623136653832636264
+37323663636165363939326633623765613662323264353934323536366361646363393761656438
+63636539343738396334636137363266353862383338643065346234303732363965336633356432
+33636337616662656637656235343634366365303762613464633464653834393238323061343962
+64633437633066633938643532303765396139633135373462393636663739643839646363396130
+33373536373663633332626162346263373231346134356361383939633264656663373464373531
+63376635303263363634393139363935363736643265613931613937666534656632343039643362
+36303863663666353939653938373138336230383233623230333239633031333338336165353066
+35373235646631663766636635383731626439326439383931633334386362373363363263643566
+30653639303839616166303430663838326432666439373136663064663165613165313936313763
+62613235626631623066363139623766363737616664343830626237333036393864353234653138
+35353735396366616163636630386662383034393965396432396435373639393664303935336364
+30663332343336343936356536363039373037353336333062623138363761646432326464343862
+65363934643762633837386139623830623066396333363336623930386566633030336233653938
+64323637366161306231653565383862396631343865613065343633643263363137323532303431
+34336263626137653333366634386439653666363632353631666332626162386135313365643832
+30363933613035636132643263343166653165363666613834396337636461636461323536633139
+64626639656563356463373566663362353231656162353561303438333932343638396266366130
+30663235353334666532633064386634363462613164386461666332313138373563373663336338
+35313932306338656566326432613438653562373338316462656537336534356530396363383135
+38326365383264333031363334663263616136363135386430313738376434623833346266336238
+39613032366534373635613063363837346131636638366535376165633065356332323566303630
+65343936643965633563363366356530303662363164653530373661323030383062653937363237
+61303334613737633632633033396565333066363562396562376338633231326131343933373737
+61646236666631633439323435666438316438353437346332366536626163313363633631373136
+65346664303531666432646365343434393037353937353266303930363064333764313965363639
+36323932613236303938396465373831343536613964383538396131376236336539323630373461
+30323966333631353161353265646230653834303762363633613463343632303261356436393466
+37643835653361326130326631356566343133323566653734613132646231373332653539353261
+61336330616162633839633962613461626338636331636536613162353063636262643337323037
+34386435386636613066306466393263303231323039336336356166313433393562303636376337
+31333336353733643632316264353530623733653833656631316162386561653133663834643139
+36343263396630383233393363343535396338383930343530343431383531343161633962613530
+32376632653530343036643863316338393033346466663636356239353434343031306535363632
+62623262363131656433336134336338656362393338353861356132653637623137343438303932
+33666365303732616565393238626461303065396330616132356335316363656536653332346134
+61313435653231323637333139623135353962636461313836386239333534313731303866623964
+33643935366538373338666634386363356237343938353534653361373335316261633561343136
+32323130333331353334313165303836663762613065383632666536383361393862653335363362
+64646562623637623036396336366663626633326638343631316437663361626536343136623138
+33633435396633393934643465663639306431326430613533316466666632373337346163633862
+36366663383066393565336534343263643035616138633231643032613066653338633937643136
+64373537303132383563353362663535616465643736333535373963303630666233386565626137
+61343733623838613135656465636637626164316437626436643936623636616665373937373034
+62613339383964643463326562326263316530343665643762393430343961366238633035346636
+34313866663564643431613463313735633063303664363937333430323565363164346237343533
+32356563396137666635323266633934663830633364393837626436653564306563326434633935
+34373864626266383136343439633562663738313762646436623862616633613561626461353936
+33653033656331653064616332356238633437653732383963643432313065396137306364356466
+66663665613565313533306139386137633365306465333834326138613332633666633435623365
+37313532303337306335346663343131316632363237353835653636383165613030393634666332
+32383634336266313638393731303462656663386433316464363733623532336461303062623961
+35653535343562613938343963336635346164346133616466323634363439363662633666313963
+35366665323236623132633832613764333630323738646434373136646139316138663634363831
+66303636623766656436323336613631666234363162613031333836326531303530316539613066
+30303161343935323763663766396164623534616562613361653138663565356432323462653263
+35343364653261663033313934343631626432623266376539303235383066363935326636356534
+38303533346562326539393037326334653234313237356433363430623035363039313035636364
+30313666633266653036333661343232616532643264316337636631303035376264623461306163
+34303936383435653838663435366164313265383438306632386333363961356662356265363531
+32613637613030346331633664626537666164623535653837353836346531313062356239653065
+66656161366433326461376333656130353665326433303434653730656333333934623430303863
+30663531316461633233333331643966333162346562323634376164626636666334343039353362
+61343265663866303533363364626531643861663534643766313966316330363065626537306338
+33386430323365323336383331343432613437336663383335366336666134333636343738373062
+61383865656136343936396138633833613830313630636337633938353231613330633463643439
+37306134356339383032313438356432376138326133373132356365653433663738646661613635
+66666539366530306532356239343062383934313030396139343334373566313964643738613635
+32303539626566336433643065313537326431353364663537316536613836663862396338616164
+30656631663266336233623065653032346232343134393939623130393262643534623834626532
+3066323131663935383063373564313564666662356438643833
diff --git a/roles/separate_build_node/templates/rpm-sign.conf.j2 b/roles/separate_build_node/templates/rpm-sign.conf.j2
new file mode 100644
index 0000000..1b9d3a1
--- /dev/null
+++ b/roles/separate_build_node/templates/rpm-sign.conf.j2
@@ -0,0 +1,15 @@
+SCRIPT_DIR="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
+
+SERVER_BASE="{{ rpm_sign_server_base }}"
+
+# --- Authentication (mTLS is preferred when both are set) ---
+
+# mTLS client certificate (issued by helpers/issue-mtls-cert.sh)
+MTLS_CERT="$SCRIPT_DIR/rpm-sign.pem"
+MTLS_KEY="$SCRIPT_DIR/rpm-sign.key"
+
+# JWT token (fallback when mTLS cert is not available)
+JWT="{{ rpm_sign_jwt }}"
+
+# --- Optional: custom CA for verifying the server certificate ---
+SERVER_CA="$SCRIPT_DIR/rpm-sign-server.pem"
diff --git a/roles/separate_build_node/templates/rpm-sign.key b/roles/separate_build_node/templates/rpm-sign.key
new file mode 100644
index 0000000..6db5122
--- /dev/null
+++ b/roles/separate_build_node/templates/rpm-sign.key
@@ -0,0 +1,169 @@
+$ANSIBLE_VAULT;1.1;AES256
+61323832356662306639393764383939636636633931303365373630666237373662316635646339
+3633646161306532636237623330356239663834326361380a383232636537616635386664363934
+63356634366638653962313934376132363735663938306539363934363338613230333135366137
+3736376334346632300a623763356464366133313939636531633939343461316230386234336165
+36353135356664386362613433323365626366353164646237306435366334653430366431363234
+39326462303132666237323361623662653862303061303730306235336630356466343363653462
+66373966326333373565303361303134363534386565653636643534333462316539363762646431
+38313036663934616236663639353131373966373330633938383363306366653537393230313833
+65313663353130653236303034303236643331373736393135343664326165343866666164663366
+33623235636430666463343133663164633933613539666232663638336466346165396466353332
+31316531316530353962313036316631363363363636663862363066613264376566646532343966
+63646135336564363664313530336533653331633363313739333838666561633132313238623264
+30333338303566343630393639616334323963646663323363336537336665326332396537396637
+39663031343336393135323365363561356565616134633466353961323532336630333262396338
+30393762623262373131373132316631666535626464363764333830323261343136373635353837
+35643530613062373832353962386664386537393466643433643464633837633639333632373636
+62326439636139326136666536306239333864626266363231643438633035383230353663306430
+33343934353137393235633235323763633233373638356362326533613232313666616262376632
+39343665616338643132643165383766393961393734386239663635326162386335363734383365
+31333964653265303361346561343431373065356165313739666338616531363333636633633262
+36356539306461313764353430373839333332386562653236363337666334633532653765303135
+35663838666530646531363230386166336532356662613138336138323033333231366163663732
+38656661653939393632376336363737653439663364303833306338396339643164386537306135
+34336436303062303137386338383436626264333930393039363465393566353833303634393833
+62633861666234646335316364333166376434353961643364343338343030353534616364623064
+30643461353861336166663865323431356537383631616530393631623361623837333831343939
+33643735366136323962386261643466636531356161306564353963353932623363616335336366
+61346634636362326263656566646439313762353735666234353433626637373661356562333331
+61386266633235623063366336373263323064316265353666636564613765633664393935663331
+64613766323639643034633239623734303834373938623033666437613433356262613336353562
+35343465356436343739326463306334346635393134643432666162306639326437346566303332
+38303364393334633138663638343363653233666332626630336634386435653537393963383864
+33323136313437386666306235343934366633353264396231366161363566333737396533656438
+34653035373737346330373939646238633034386532313434393865633632303461356135623461
+30613335363364383833313866643637663236636463663936383431396233343331353562356461
+36626465373363346639383866666337643035626134323134653833363534633461393936633232
+32366534616437353365376433316166653231333234666666323630393361363132653465653266
+32613739396663356635326334616163646166323338366663306362396163383831643035633832
+33613437383135386361323161373736306465353432633833643862303366306635366438313335
+31396365653961623831616338613435373265613639653863633839656131363664666231666462
+30343566666363366435336265323537633138323662386665396238363237303032663430323033
+38353234373338626137623036353164653131633639306537623262663533643362396464613730
+62626264346232633533363962323565323631343066353136623037313633663132366331633530
+65383534633739613765653065363830353633366336613063666236356463323134363565646135
+30666162323535636265636564613331386630386464393635306262636330663964333964306132
+34636564656436616138663039376535326531623238353064393066333831343034333261343264
+38646430616666343239636635366436383763333732323463306530613736376432303839613134
+65396630633238643738623666303130363864373435353139306130663039373130383761383031
+62343364313163653831636666623331393662373864383635633665646535326664616166636332
+64386362313530356565643638383136626636343262656232376438333333353861376331356261
+32373062613737663635333461636438336532666238326266383566653363656432363435643463
+61653239386139636338316638393338323563343839313863336263623734613565336363383438
+61613636366261376133656530326437636638623634343934333564393731316439656232653433
+64653464326365613636643236316339316562643937393839386436303338633561613835366536
+37653834306634316632653434636661666235316463333932613663393430373365393937393931
+31313437393738356430653233666334336231303535313632323631353031313938363333616337
+63396131643361396436353066616464633863383961336438316334663635313936626139346666
+61656166366431336339636461656534333939616138653662376139623066366639653765396132
+32323435363431373364363836626530333333386166326438313837346566396132333266393936
+33616166626635343836633635353838336166353634303936346162616531613639646264643231
+39383664386363626162623334333265653236356635396663643262313136616464633030633134
+39663961633535636435353064376536353837613436646362623762396534376636316165396165
+34623236646138376632643466366233333163323263356331333762383564663332613032653932
+38666662336336363739383332343630626630383232396230323037343637666264396234643763
+33353530623566656264386462613665373735366535363836326235636237353561323738646662
+34346661356563316435303863366638623663353162613034386663363763366164333038386463
+64373835333236363930303637333032633261383461313466356437343738613564616536386464
+36303962326164366263393738386563303831626334646134626139336564356437366532323338
+39653061356439656264616137303561373938363934353661303065643564373135643439656331
+65633261376163386262626331383666643938363035343438656339323935303262353335326235
+64636330346364333231633566633933626235316333313062613331353231643562303331303161
+35393063343834643161383634323537396237666337393430303763386566623532613737383939
+36376138333530666434383639373831333865346138656464616662383131643564373032636161
+39613534653639613838356262373639373830373734643634643066316665633432633666303733
+62376135366266386662623163366265343235636166353038663037623063343339343534633239
+39373434363561383538663632376538636230393033353932376539623462333939646166643161
+65363066323731383561343933336664353331646466353533613839326666326464613334343238
+31386433393264363262656234363633613663396632356561616464346535666434613037383438
+64333164363162643232646162656335633839336461663062316639303835356261393461333934
+61653263346237636264623939363432313665643136396562306434623038396339343532396536
+62323333653665663962303564326662656664383162366635663032316364363531633737306563
+62613937623736313166373464613966653466343132613135306535353833643536306130386663
+64346434386262656534323861323034306339336361666237653634323731303137646666383363
+35633031356433343837383066653630633532376333346339346332303363646364323330616137
+66326334326434306565373236366632333965386634376635366137646537653965363830383466
+35303635623330346639346161613135643532383465323564313730316634306632303234336137
+64363031633261623636326134366365323536336532656632663861376335306236643339636362
+61653261393165663062383464343766663132303531303235313065643038323034386537626230
+66643935303331306366393537323638323738353139303230326166346130386165323361303931
+66393532346161333766366366386630366237336135666532616432343139323036353262363937
+61353064356132626565313732653064343632623434666632363030353635623065356565313665
+34383239343261313939313465386532636432363763323437373531356635343565633138373431
+38653539653935353965393931306562653432346261313764303661356263636236383731343635
+34653530616566313733656237633362656333336438663337366666616536373765326662373264
+36393466353739366664653630366231663032343262353037303637373934353161383136313835
+31316462306162633133316138303536626665393932323339386239633239353530333761363364
+31636139643961633030653236376330626334323662353365343335623634323734343861623861
+32326161393761623037626162366430656538346531356532326161396530383562326634333439
+63633866333132626265383265626532333165313865616539663737623161616366373664316235
+30383165383637306635363131333662306337386566313161656637303239393563633966643937
+64623530396634323830333862636634333638646532393363663233636665393362353331623365
+37383763363734646463623036376331396534663239383538626236323063376530343031323138
+39303263343238383363393662316630373065343962363338346236323338363138353938663432
+31623631333065323466656664366665323437643436333936663262653633623331333364653064
+33343735383137343261386239363531613461353333306338626431643532623038303430343535
+36656136646431616233323332633832373466306530636261333336663834326662633965623038
+36376230343335366136386635373835316437353831363435386639333663363532343030383766
+64363766636362643964343164633730666561306439633533326130646562306539386661343064
+62326435363965323538363835623965353730356362663161336434623438363164616136353930
+31613534613938633366313438303435373035616439643036663661386231323137356234343231
+31656432613732323164383966373338363238616534643731313761353162666462376438646535
+61303534346631633838353138306235373866643731346562326633363733643631633562323234
+38633563616231663462333231376161623035346530653239313237623339306266326435616463
+62666432383237353338393230303937363333343334306434346232613131373766363763626464
+31613932323863396164653465663432316432316531363564653362626231323831323933383361
+66353464356630323430373530316633303439353931633365363639633936616138303232613936
+65316635343938373463666434303131303863356164313236353266613133326639653261333332
+31623265663361326435613931326136343339616565623338383431633336383166356237393138
+32393466303662646164376564633264656632396666356232376234333838636364333732353234
+33613465323338333764343431643637373662656265346366366266653162333664353437323365
+63663965346235386162363638363130383733376261373637663736383137346531343565323362
+36613264623535666561623563313836353935376464326465363865343037326338333261346131
+30366333363366346262636633333138326536643136636432633634336634646663393161333531
+35343963356537323563343232383761643539343761636261373639396634626265313632376239
+66333733326435333038363635663861653433343065333830623939656430626263393835316563
+37313063643266656630316330623738666133343434653963313732393934346430633535646234
+31663331306431303339626564643965633331363730666162336566366534373135313461623161
+38303064316136343236613438333566653462663861623635383937313235616361636237303835
+64363738353738313434663665663932366263393831643665303633333366646163343038366537
+34336462356631333030366532616630653139363063633562376339353039373236656363386336
+38663239356538626137303761376333316361333636346664383431303536316239623931656430
+38346662303932653935383766396462623266396433333335333333663732623761343664343566
+30303534663835316232643862323338663637333434613663626165373835646663356665613336
+34316333353431356433666630666635356534303165623936666432663864656530663965356661
+64316433623162363062393533656133323730336439323637613937393739613535633331613238
+34646333613164383162326531376464333364323239366464383866316530343231343838366431
+35396338306462353731303334663333306239366566623565616463343938663463393337353164
+63386537653233663932643237663238656438346134306339363138393163626632646138633663
+61393336376365386231393366343662366662363632323338613364633232376464373266636230
+30303931623132353065363666373639323037616534306431643631633037613864326432333931
+63633935353739353638633762643864396639646330333231363335343261316236653638656366
+38346565316531316434313730373737636263623366373836383039656433633763636636343436
+38353162636361326463333736303535623833643033363862363761366634323837323763373634
+65373938353336303034306166333632613066646339303231313738326239333637323435346439
+34383462646233346132643465303765386537633364323162613063386130306433373632613461
+37346430353761373035616238366537303734303932366263643031393364656234666165353363
+35613563653963343665613537373763306231626566336638376462643232613465373161376532
+65626435393738393939666166656438333336636532353230373630353330383039373232666334
+65336531386636663566363132316262666631643961383436336232376438396564373430393465
+34333366626661313965356134356335616366313639333364613537343162666162373063353865
+36623761373533633062366362666466396464383138316262653435323932306639616136333833
+39386337346538613962386531313165646665333239356437303535373932376566343661353361
+37386161613039383366643539303831376231626331306464303064396336643162353136626134
+62633362333063306637366266393736346164373865646436353265653165666639356332336465
+30366434333039623230646562313436363738353564343631656465386333343634313961316664
+31343230616132666462303834326334363066393866376231643333376331336463633531343862
+61633261623935646430366634306163363766613831316531343432376662306566646364396162
+39643761383362343066346364326461383135386338323338386439363133306565323761626239
+37313764313636643439653038623333373731653262373261653836313466356363363465336566
+61663461643734303565376536663366663230623666326233313561616666646632613834353465
+61376666303437383266363131666532383230613932633431646166666234303534363264366536
+62623030623538363336366137313563363635316562323965613439646133663962363666363338
+64363138336634313662336264663936326465303031646466346132323332656239613037363237
+32383530616661373361336661663234663536333437633162616263343733643064326138626661
+61356237623264663733363364396439353165653130386538373530366464353634633936366231
+63356135303535653164313561323962663465363535636263323031303038393334393931363733
+65396264336531303363396231656533623965323830326265646365623835313237373536316439
+39633339666361303735
diff --git a/roles/separate_build_node/templates/rpm-sign.local b/roles/separate_build_node/templates/rpm-sign.local
new file mode 100644
index 0000000..d0db784
--- /dev/null
+++ b/roles/separate_build_node/templates/rpm-sign.local
@@ -0,0 +1,67 @@
+#!/bin/bash
+set -euo pipefail
+
+CONF="$(dirname "$(readlink -f "$0")")/rpm-sign.conf"
+if [[ ! -f "$CONF" ]]; then
+    echo "rpm-sign.local: config not found: $CONF" >&2
+    exit 1
+fi
+
+# Defaults (overridden by conf)
+MTLS_CERT=""
+MTLS_KEY=""
+SERVER_CA=""
+JWT=""
+
+source "$CONF"
+
+if [[ -z "$SERVER_BASE" ]]; then
+    echo "rpm-sign.local: SERVER_BASE not set in $CONF" >&2
+    exit 1
+fi
+
+# Build auth arguments: prefer mTLS, fall back to JWT
+CURL_AUTH=()
+if [[ -n "$MTLS_CERT" && -f "$MTLS_CERT" && -n "$MTLS_KEY" && -f "$MTLS_KEY" ]]; then
+    CURL_AUTH+=(--cert "$MTLS_CERT" --key "$MTLS_KEY")
+elif [[ -n "$JWT" ]]; then
+    CURL_AUTH+=(-H "Cookie: JWT=${JWT}")
+else
+    echo "rpm-sign.local: no auth configured (set MTLS_CERT+MTLS_KEY or JWT)" >&2
+    exit 1
+fi
+
+# Optional: trust a custom CA for the server certificate
+if [[ -n "$SERVER_CA" && -f "$SERVER_CA" ]]; then
+    CURL_AUTH+=(--cacert "$SERVER_CA")
+fi
+
+MODE="$1"
+KEY="$2"
+INPUT="$3"
+OUTPUT="${4:-}"
+
+case "$MODE" in
+    lkmsign)
+        curl -s --fail -X POST \
+            -H "OS: ${KEY}" \
+            -H "Content-Type: multipart/form-data" \
+            "${CURL_AUTH[@]}" \
+            -F "input_file=@${INPUT}" \
+            --output "${OUTPUT}" \
+            "${SERVER_BASE}/sign_module/"
+        ;;
+    rsadgstsign)
+        curl -s --fail -X POST \
+            -H "Sign-Cert: ${KEY}" \
+            -H "Content-Type: multipart/form-data" \
+            "${CURL_AUTH[@]}" \
+            -F "input_file=@${INPUT}" \
+            --output "${INPUT}.sig" \
+            "${SERVER_BASE}/sign_efi_digest/"
+        ;;
+    *)
+        echo "rpm-sign.local: unknown mode: $MODE" >&2
+        exit 1
+        ;;
+esac
diff --git a/roles/separate_build_node/templates/rpm-sign.pem b/roles/separate_build_node/templates/rpm-sign.pem
new file mode 100644
index 0000000..01671c5
--- /dev/null
+++ b/roles/separate_build_node/templates/rpm-sign.pem
@@ -0,0 +1,97 @@
+$ANSIBLE_VAULT;1.1;AES256
+39656565353161633564313162636165373637633833613534646332656566663035663830383835
+3930343830363230363435376638323137353639333537620a363661333133613232336535633864
+38623161313331646230373630616633333438623537333764663363313662396363333164383438
+3766306663363336300a656136626264396463626164623436646364646533623065666261373133
+64393264363137663534313738633263616132383266343934623663313665343038393163396566
+38323734333361616432363435393430616330353932316639343366326561653332636337663838
+62666230666462626630356361386666653162353462373635376561323337653330386433316135
+36326165316366643263633034393233376437333162313738616563386261383363636663623762
+34303236313434663733316337613233356630646565353761383833653163623537666131353765
+31366365653261313665373262336335393236383165653362376538666665356630373335643232
+36333066323630343266383738393964356638653165303530663562623639363565613961303766
+66393137313638313233653763613165633830353038356336386565393961636365353762353062
+30336535613439656233623039616137616461363630323731653132353530383462613061356365
+63363334666534303339653861356231363164333765346661643865316138343736333831336636
+66393635363562616339616430313138616435383864353633653337623063633734396332323163
+61333066353231393639343261343535323066333364316264306634663731653531363031323031
+33383063303438633535313631653464646565633935343462333734356130346636623062633134
+63323030376431666465646438633064343535343838623035626661643131653961613138396164
+34306364363637346363626537383566646164613564343738356234366235643338326331313139
+39363139613366353637336632323330646164646439363430366461343136643065333536363936
+37343537386163333164303963626265333232303464613161616265666533646138613234306366
+30343265306638643665386666393736306338306630343034383164343363313331323831363435
+62623233313561643262396465323037393131646530366331393632376537373566653066616566
+31646562626437333662343165333863623033613462303938353635666435316166366135343136
+35346239373263613537623565353762323739353561346631623738643662326533363138396163
+32313839366538306466663164383538636637633661353263643134613866323137323230336264
+36636530323139666237323264656563323733666261363130303833366139323665646636646432
+66393666326566323633346237623264323530383439393135636565343131353131386165343432
+65643232383131376130313039343730666465303839323736656333343432316236316365303836
+32306463326535663933643062666133343063336234373462303832333564303934663730353238
+33646563306462656463386266353734316361643266323962333661383633343166363466323231
+39623333323832323439373863303066363235646637653738616136636336393638363033336362
+61613062326335343636343361303732363064343639626662393436346637616166396561653134
+61386232396530373437346436376235633866613265623132643034353431306432643661633762
+64633364306364666164653236623939616139333531663634313039373963653736323734383634
+32666463336463653635366565386636386332333963323839343365393133346365646136356131
+31306633303532323463633130356330346266326130333265653237653662386566633732353466
+30636435303137366562343239346364623465653833646633363938376238663738623064313833
+61303165386362616136653661626565613433636264383433616635323664333837366533376162
+34656230316138383930313164393965386238636230343734353133626166663938313639356462
+62616534346237616339623366656665393538373866343431363263323162636239323765366332
+30643434636132343139613166373835643561343730326461653835666636333032383530636530
+64386432326638333463326635663963663065353737363733396364643639643063336232666333
+37343139316234613832633461326264633463383133383139376335303062323763643334633337
+63363739373333666338656264393064663133323133633733376533353238383633633337623466
+63356331313831326663326532623932336263316136653139393231376162616666626461643434
+36386663336431636635616339663039646262303735393138316361663836356230356334613163
+30393130306231326430313736643838323039653164353764623665313537323830303333316263
+30623262656432633132393338663165636637393034343033306335636562393736346365323462
+38376437386131653962613333323265666636663936383463303163303831653630383961643734
+61643036356164356463373934633637303733343336613663343432313231353261303861376662
+32396666613963373466353131646564303338386238323135376635363065386436323438393662
+36316235303835343736316539333863383534636662373662623235383231346362363533386134
+62353062346530666538326665316231653633323037373635613464616631356465333433333632
+33643235333439353432336636306363363331356363313261626438343863396336646634636136
+30323838656235336636666532303533346365663330333030363635323038336164353436386631
+39316438643363616139306332616164373633323965643334643431333838333439633164663737
+62343262666332383531383364306135353837366330373539336666313633663461333538336337
+39643131626334666633626331383639393062393038653264333565333761326466336139626531
+30666462346536333238333533353539393066393439333935663633313035623237346638346166
+61323865623337333335323834346134366432326561343032376464353635626565363062333732
+63396665646636356663646132616431323366386336653063633434643164303166343564663536
+30646462303163626133663531643866633766633937613163656663633366373936363130343335
+35643432663035653330383836336637326362373932666564316266326537633164356561643635
+63313734393564373939326335333330396162333832363261623765656363323264663538323563
+62633565323361333731366662393161393661633366313165373737356261366638633262646436
+35303731303365636663333132366664363463393337643634663964383630326165653663316562
+31313161303836396334383362343736323437333864373062316532343963353962636633636366
+30623031356464656662623034336666623334383531643263666131336631303264653837393332
+39663334626337313766353661333435666530633866303465373463313331376230366338636637
+35626335646230326430633464303861393533376232303465613966396131616363636433306162
+35316437326338363534313234643065383966383530303634633330316530613563373139313064
+63633935313438343936663535636661356137376433393233316366626336663433376264376330
+35326136366264643230313161313335343964663337633331363439653662323863343230336337
+32313564336330653933303266303063323036633735343762613135633964326331623135376231
+37336263353033633330613462666131386231616437333433663464346233646536306263356161
+35623961626130303866383837623733313166393266383035343034613638366238346361636264
+32626633336337666338316131616238313061353964363838366136326235613861653734386563
+66633835613237613066623062343964303530643631363163653932373339396636303931616135
+62373332393832383338303034393336333365616565376561633034313636313161616164623032
+39376535313664613038303430636165363130346165346631646138363130393730393062316362
+65346337376466303833303933373063323364633163663737656466623737363635343730313137
+33396336643134613332306466353632336438663235643230656432346638646365656531656164
+37616432306265343965396630613865353234323665653664373764393462633762393436613262
+65303862386339356566343639373966666636363532313437313933346334343836386465626337
+38653330306130663639366436386333373038373339376434633037646637616235326366393261
+37303763343764346462393162326131633761313635376131616461323466613739316263373263
+65653739323536663233306335623765663661663730356465356439613834313331346463653539
+35626163633264366130613337313263636432663863353364626635363963343837633037373263
+36346539303738323638303238313738613664613962393562663134643661393861646664613862
+31366333633630306236633864333461663133313031633661343237643964633065383738643631
+32366237383234633835393630333863356439626433653031363331373933643639316564336636
+36613334333166366337643663333036333665626464646665323439323164663965623330393132
+66333232373735613862653665613964626537613965663735386133366465353135613435623465
+65663566393563383264653439383566643639383134303634396533363461613564636234363937
+63373637653064613036