diff --git a/pipelines/monolithic.Jenkinsfile b/pipelines/monolithic.Jenkinsfile
index f0f694c..2fd3592 100644
--- a/pipelines/monolithic.Jenkinsfile
+++ b/pipelines/monolithic.Jenkinsfile
@@ -163,9 +163,6 @@ pipeline {
         booleanParam (
             name: 'BUILD_ISO'
         )
-        booleanParam (
-            name: 'POST_ISO_SIGNING'
-        )
         booleanParam (
             name: 'BUILD_RT'
         )
diff --git a/pipelines/parts/build-iso.Jenkinsfile b/pipelines/parts/build-iso.Jenkinsfile
index ad96af3..b5a07f1 100644
--- a/pipelines/parts/build-iso.Jenkinsfile
+++ b/pipelines/parts/build-iso.Jenkinsfile
@@ -43,9 +43,6 @@ pipeline {
         booleanParam (
             name: 'BUILD_ISO'
         )
-        booleanParam (
-            name: 'POST_ISO_SIGNING'
-        )
     }
     stages {
         stage ("build-iso") {
@@ -54,7 +51,6 @@ pipeline {
             }
         }
         stage ("sign-iso") {
-            when { expression { params.POST_ISO_SIGNING } }
             steps {
                 sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh")
             }
diff --git a/scripts/build-iso.sh b/scripts/build-iso.sh
index 9b2ed71..73bacc5 100755
--- a/scripts/build-iso.sh
+++ b/scripts/build-iso.sh
@@ -14,12 +14,25 @@ require_job_env BUILD_ISO
 
 load_build_env
 
+require_job_env SECUREBOOT_FORMAL
+require_job_env SIGN_ISO_FORMAL
+
 $BUILD_ISO || bail "BUILD_ISO=false, bailing out"
 
-if [[ -n "$SIGNING_SERVER" ]] ; then
-    notice "preparing secureboot signatures"
-    stx_docker_cmd $DRY_RUN_ARG "SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER} PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
+if $SECUREBOOT_FORMAL ; then
+    notice "signing secureboot packages"
+    [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
+    sign_secure_boot_env="SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER}"
+    stx_docker_cmd $DRY_RUN_ARG "$sign_secure_boot_env PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
 fi
 
+build_img_args=
+# Job is configured to sign the ISO with official keys.
+if $SIGN_ISO_FORMAL ; then
+    [[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
+    # Don't sign ISO with developer keys; we will sign it separately
+    # in sign-iso.sh
+    build_img_args+=" --no-sign"
+fi
 notice "building STD ISO"
-stx_docker_cmd $DRY_RUN_ARG "build-image"
+stx_docker_cmd $DRY_RUN_ARG "build-image $build_img_args"
diff --git a/scripts/lib/job_utils.sh b/scripts/lib/job_utils.sh
index 985bb30..b77f8d2 100644
--- a/scripts/lib/job_utils.sh
+++ b/scripts/lib/job_utils.sh
@@ -182,6 +182,39 @@ __set_build_vars() {
     else
         PARALLEL=
     fi
+
+    # Validate & set defaults for ISO & secureboot options
+
+    # SIGN_ISO_FORMAL was spelled as SIGN_ISO in the past
+    if [[ -n "$SIGN_ISO" ]] ; then
+        warn "SIGN_ISO is deprecated, please use SIGN_ISO_FORMAL instead"
+    fi
+    if [[ -z "$SIGN_ISO_FORMAL" ]] ; then
+        if [[ -n "$SIGN_ISO" ]] ; then
+            SIGN_ISO_FORMAL="$SIGN_ISO"
+        elif [[ -n "$SIGNING_SERVER" ]] ; then
+            SIGN_ISO_FORMAL="true"
+        else
+            SIGN_ISO_FORMAL="false"
+        fi
+        warn "SIGN_ISO_FORMAL is missing, assuming \"$SIGN_ISO_FORMAL\""
+    fi
+    if [[ "$SIGN_ISO_FORMAL" != "true" && "$SIGN_ISO_FORMAL" != "false" ]] ; then
+        die "SIGN_ISO_FORMAL must be \"true\" or \"false\""
+    fi
+
+    # SECUREBOOT_FORMAL
+    if [[ -z "$SECUREBOOT_FORMAL" ]] ; then
+        if [[ -n "$SIGNING_SERVER" ]] ; then
+            SECUREBOOT_FORMAL="true"
+        else
+            SECUREBOOT_FORMAL="false"
+        fi
+        warn "SECUREBOOT_FORMAL is missing, assuming \"$SECUREBOOT_FORMAL\""
+    elif [[ "$SECUREBOOT_FORMAL" != "true" && "$SECUREBOOT_FORMAL" != "false" ]] ; then
+        die "SECUREBOOT_FORMAL must be \"true\" or \"false\""
+    fi
+
 }
 
 __started_by_jenkins() {
diff --git a/scripts/sign-iso.sh b/scripts/sign-iso.sh
index 84d1196..3dde135 100755
--- a/scripts/sign-iso.sh
+++ b/scripts/sign-iso.sh
@@ -14,30 +14,39 @@ require_job_env BUILD_ISO
 
 load_build_env
 
-require_job_env SIGN_ISO
-$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
-
-require_job_env SIGNING_SERVER
-require_job_env SIGNING_USER
+require_job_env SIGN_ISO_FORMAL
 
 $BUILD_ISO || bail "BUILD_ISO=false, bailing out"
-$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
-[[ -n "$SIGNING_SERVER" ]] || bail "SIGNING_SERVER is empoty, bailing out"
 
 sign_iso() {
     local iso_file="$1"
-    (
-        export MY_REPO=$REPO_ROOT/cgcs-root
-        export MY_WORKSPACE=$WORKSPACE_ROOT
-        export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
-        sig_file="${iso_file%.iso}.sig"
-        maybe_run rm -f "$sig_file"
-        maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
-        if ! $DRY_RUN ; then
-            [[ -f "$sig_file" ]] || die "failed to sign ISO"
-            info "created signature $sig_file"
-        fi
-    )
+    local sig_file="${iso_file%.iso}.sig"
+
+    # Job is configured to sign the ISO with formal keys
+    if $SIGN_ISO_FORMAL ; then
+        [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
+        (
+            export MY_REPO=$REPO_ROOT/cgcs-root
+            export MY_WORKSPACE=$WORKSPACE_ROOT
+            export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
+            export SIGNING_SERVER
+            export SIGNING_USER
+            maybe_run rm -f "$sig_file"
+            maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
+            if ! $DRY_RUN ; then
+                [[ -f "$sig_file" ]] || die "failed to sign ISO"
+                info "created signature $sig_file"
+            fi
+        )
+        exit 0
+    fi
+
+    # ISO is already signed with developer keys - make sure .sig file exists
+    info "skipping formal ISO signing because it's already signed with developer key"
+    if ! $DRY_RUN ; then
+        [[ -f "$sig_file" ]] || die "$sig_file: file not found"
+        info "using existing ISO signature $sig_file"
+    fi
 }
 
 
diff --git a/scripts/templates/build.conf.example.in b/scripts/templates/build.conf.example.in
index cb0386f..f926ed0 100644
--- a/scripts/templates/build.conf.example.in
+++ b/scripts/templates/build.conf.example.in
@@ -43,11 +43,19 @@ BUILD_PACKAGES_ITERATIONS=3
 DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian"
 DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security"
 
-# ISO sigining
-SIGN_ISO=false      # If false, don't signe the ISO
+# Signing server for formal ISO and secureboot signing (see below)
 SIGNING_SERVER="some.host.org"
 SIGNING_USER="some_user_id"
 
+# Sign ISO with a key controlled by $SIGNING_SERVER
+# If false, ISO will be signed with developer key in
+#   cgcs-root/build-tools/signing/dev-private-key.pem
+SIGN_ISO_FORMAL=true
+
+# Sign kernel-related packages with a key & cert controlled by
+# $SIGNING_SERVER. When "false", don't add secureboot signatures.
+SECUREBOOT_FORMAL=true
+
 # Run this command inside the build container at the end of the build
 # Current directory will be set to $MY_WORKSPACE/export.
 # This command must leave any additional files to be published in that