diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index cbdebbb..95b5f81 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -113,6 +113,22 @@ jobs:
           fi
           podman pull ghcr.io/secureblue/kinoite-main-hardened:latest
 
+      - name: Stage cosign private key for signing module
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          set -euo pipefail
+          if [ -z "${COSIGN_PRIVATE_KEY:-}" ]; then
+            echo "[ERR] COSIGN_PRIVATE_KEY secret missing"
+            exit 1
+          fi
+          # bluebuild signing module reads from this env var when
+          # building the cosign.key bind stage. Also write to bluebuild/
+          # so it sits next to cosign.pub for local reproducible runs.
+          mkdir -p bluebuild
+          printf '%s' "$COSIGN_PRIVATE_KEY" > bluebuild/cosign.key
+          chmod 600 bluebuild/cosign.key
+
       - name: Build OCI image with BlueBuild CLI container
         id: bluebuild
         # blue-build/github-action requires docker buildx which podman
diff --git a/.gitignore b/.gitignore
index d28d4a7..ac06463 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@ test/veilor-vm.nvram*
 test/auto-install-vm.qcow2
 test/auto-install-vm.nvram*
 .claude/worktrees/
+**/cosign.key
diff --git a/bluebuild/cosign.pub b/bluebuild/cosign.pub
new file mode 100644
index 0000000..c57f432
--- /dev/null
+++ b/bluebuild/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5xQcyP7FHNSiG7+VLsN2ViWlvvIB
+FYmu2XmPah7/VBlmuQ88H0ZbqCqqnS2u9x5+P1OMaMK+//k89V0Blrx65Q==
+-----END PUBLIC KEY-----
diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index b91c498..826d808 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -149,9 +149,8 @@ modules:
         - veilor-postinstall.service
         - veilor-doctor.timer
 
-  # ── 10. signing — DEFERRED ──────────────────────────────────────
-  # The BlueBuild `type: signing` module expects a cosign.pub +
-  # cosign.key pair next to the recipe. Generate + ship those in a
-  # follow-up commit once the operator has rotated the key offline
-  # and stashed cosign.key as a Forgejo Actions secret. Skip for the
-  # first green build.
\ No newline at end of file
+  # ── 10. signing config ──────────────────────────────────────────
+  # cosign.pub committed alongside this recipe; cosign.key kept off
+  # repo and provided to CI as Forgejo secret COSIGN_PRIVATE_KEY.
+  # The action exports it to /tmp at build time.
+  - type: signing
\ No newline at end of file