diff --git a/.drone.yml b/.drone.yml
index d84fbcc..5d32251 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -15,10 +15,15 @@ steps:
     - useradd build -m
     - "echo 'build ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers"
     - chown -R build:build .
-    - sudo -u build --preserve-env=PGP_KEY sh -c 'echo "$PGP_KEY" | gpg --import --no-tty --batch --yes && ./build.sh'
+    - sudo -u build --preserve-env=PGP_KEY --preserve-env=PGP_PWD --preserve-env=PGP_ID sh -c 'mkdir ~/.gnupg && echo -e "default-cache-ttl 3600\nallow-preset-passphrase" > ~/.gnupg/gpg-agent.conf && echo "$PGP_KEY" | gpg --import --no-tty --batch --yes && echo "$PGP_PWD" | /usr/lib/gnupg/gpg-preset-passphrase --preset $PGP_ID'
+    - sudo -u build sh -c './build.sh'
   environment:
     PGP_KEY:
       from_secret: PGP_KEY
+    PGP_PWD:
+      from_secret: PGP_PWD
+    PGP_ID:
+      from_secret: PGP_ID
 volumes:
 - name: repo
   host:
diff --git a/build.sh b/build.sh
index 71fb026..e02cf6c 100755
--- a/build.sh
+++ b/build.sh
@@ -14,10 +14,10 @@ build() {
   fi
 
   if ! compgen -G "/repo/$name-$epoch$ver-$rel-*.pkg.tar.zst" > /dev/null ; then
-    if makepkg -s --skippgpcheck --noconfirm || makepkg -s --skippgpcheck --nocheck --noconfirm ; then
+    if makepkg -s --skippgpcheck --noconfirm --sign || makepkg -s --skippgpcheck --nocheck --noconfirm --sign ; then
       for pkg in *.pkg.tar.zst ; do
-        cp "$pkg" /repo/
-        repo-add /repo/nyyu.db.tar.zst /repo/"$pkg"
+        cp "$pkg"{,.sig} /repo/
+        repo-add -s /repo/nyyu.db.tar.zst /repo/"$pkg"
       done
     fi
   fi