diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b0a27b2db4de7..7a0bdbd435f98 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1259,6 +1259,8 @@ jobs:
           # do (see above).
           CODER_SIGN_WINDOWS: "1"
           CODER_WINDOWS_RESOURCES: "1"
+          CODER_SIGN_GPG: "1"
+          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
           EV_KEY: ${{ secrets.EV_KEY }}
           EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
           EV_TSA_URL: ${{ secrets.EV_TSA_URL }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 69043dc833362..71567cd540502 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -323,6 +323,8 @@ jobs:
         env:
           CODER_SIGN_WINDOWS: "1"
           CODER_SIGN_DARWIN: "1"
+          CODER_SIGN_GPG: "1"
+          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
           CODER_WINDOWS_RESOURCES: "1"
           AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
           AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
diff --git a/Makefile b/Makefile
index b6e69ac28f223..70ad1f16f0042 100644
--- a/Makefile
+++ b/Makefile
@@ -252,6 +252,10 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
 		fi
 
 		cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
+
+		if [[ "$${CODER_SIGN_GPG:-0}" == "1" ]]; then
+			cp "$@.asc" "./site/out/bin/coder-$$os-$$arch$$dot_ext.asc"
+		fi
 	fi
 
 # This task builds Coder Desktop dylibs
diff --git a/scripts/build_go.sh b/scripts/build_go.sh
index 97d9431beb544..b3b074b183f91 100755
--- a/scripts/build_go.sh
+++ b/scripts/build_go.sh
@@ -20,6 +20,9 @@
 # binary will be signed using ./sign_darwin.sh. Read that file for more details
 # on the requirements.
 #
+# If the --sign-gpg parameter is specified, the output binary will be signed using ./sign_with_gpg.sh.
+# Read that file for more details on the requirements.
+#
 # If the --agpl parameter is specified, builds only the AGPL-licensed code (no
 # Coder enterprise features).
 #
@@ -41,6 +44,7 @@ slim="${CODER_SLIM_BUILD:-0}"
 agpl="${CODER_BUILD_AGPL:-0}"
 sign_darwin="${CODER_SIGN_DARWIN:-0}"
 sign_windows="${CODER_SIGN_WINDOWS:-0}"
+sign_gpg="${CODER_SIGN_GPG:-0}"
 boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
 dylib=0
 windows_resources="${CODER_WINDOWS_RESOURCES:-0}"
@@ -85,6 +89,10 @@ while true; do
 		sign_windows=1
 		shift
 		;;
+	--sign-gpg)
+		sign_gpg=1
+		shift
+		;;
 	--boringcrypto)
 		boringcrypto=1
 		shift
@@ -319,4 +327,9 @@ if [[ "$sign_windows" == 1 ]] && [[ "$os" == "windows" ]]; then
 	execrelative ./sign_windows.sh "$output_path" 1>&2
 fi
 
+# Platform agnostic signing
+if [[ "$sign_gpg" == 1 ]]; then
+	execrelative ./sign_with_gpg.sh "$output_path" 1>&2
+fi
+
 echo "$output_path"
diff --git a/scripts/release/publish.sh b/scripts/release/publish.sh
index df28d46ad2710..5ffd40aeb65cb 100755
--- a/scripts/release/publish.sh
+++ b/scripts/release/publish.sh
@@ -129,26 +129,9 @@ if [[ "$dry_run" == 0 ]] && [[ "${CODER_GPG_RELEASE_KEY_BASE64:-}" != "" ]]; the
 	log "--- Signing checksums file"
 	log
 
-	# Import the GPG key.
-	old_gnupg_home="${GNUPGHOME:-}"
-	gnupg_home_temp="$(mktemp -d)"
-	export GNUPGHOME="$gnupg_home_temp"
-	echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --import 1>&2
-
-	# Sign the checksums file. This generates a file in the same directory and
-	# with the same name as the checksums file but ending in ".asc".
-	#
-	# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
-	# ask for a passphrase). The key we import above is not password protected.
-	true | gpg --detach-sign --armor "${temp_dir}/${checksum_file}" 1>&2
-
-	rm -rf "$gnupg_home_temp"
-	unset GNUPGHOME
-	if [[ "$old_gnupg_home" != "" ]]; then
-		export GNUPGHOME="$old_gnupg_home"
-	fi
-
+	execrelative ../sign_with_gpg.sh "${temp_dir}/${checksum_file}"
 	signed_checksum_path="${temp_dir}/${checksum_file}.asc"
+
 	if [[ ! -e "$signed_checksum_path" ]]; then
 		log "Signed checksum file not found: ${signed_checksum_path}"
 		log
diff --git a/scripts/sign_with_gpg.sh b/scripts/sign_with_gpg.sh
new file mode 100755
index 0000000000000..fb75df5ca1bb9
--- /dev/null
+++ b/scripts/sign_with_gpg.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# This script signs a given binary using GPG.
+# It expects the binary to be signed as the first argument.
+#
+# Usage: ./sign_with_gpg.sh path/to/binary
+#
+# On success, the input file will be signed using the GPG key and the signature output file will moved to /site/out/bin/ (happens in the Makefile)
+#
+# Depends on the GPG utility. Requires the following environment variables to be set:
+#  - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use.
+
+set -euo pipefail
+# shellcheck source=scripts/lib.sh
+source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
+
+requiredenvs CODER_GPG_RELEASE_KEY_BASE64
+
+FILE_TO_SIGN="$1"
+
+if [[ -z "$FILE_TO_SIGN" ]]; then
+	error "Usage: $0 <file_to_sign>"
+fi
+
+if [[ ! -f "$FILE_TO_SIGN" ]]; then
+	error "File not found: $FILE_TO_SIGN"
+fi
+
+# Import the GPG key.
+old_gnupg_home="${GNUPGHOME:-}"
+gnupg_home_temp="$(mktemp -d)"
+export GNUPGHOME="$gnupg_home_temp"
+
+# Ensure GPG uses the temporary directory
+echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --homedir "$gnupg_home_temp" --import 1>&2
+
+# Sign the binary. This generates a file in the same directory and
+# with the same name as the binary but ending in ".asc".
+#
+# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
+# ask for a passphrase). The key we import above is not password protected.
+true | gpg --homedir "$gnupg_home_temp" --detach-sign --armor "$FILE_TO_SIGN" 1>&2
+
+# Verify the signature and capture the exit status
+gpg --homedir "$gnupg_home_temp" --verify "${FILE_TO_SIGN}.asc" "$FILE_TO_SIGN" 1>&2
+verification_result=$?
+
+# Clean up the temporary GPG home
+rm -rf "$gnupg_home_temp"
+unset GNUPGHOME
+if [[ "$old_gnupg_home" != "" ]]; then
+	export GNUPGHOME="$old_gnupg_home"
+fi
+
+if [[ $verification_result -eq 0 ]]; then
+	echo "${FILE_TO_SIGN}.asc"
+else
+	error "Signature verification failed!"
+fi

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18868.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18868.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18868.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18868.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>