diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 1454a167a260..7e5a1743ac09 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -44,6 +44,11 @@ jobs:
         echo "yarnPath: '$TMPBIN/yarn.js'" >> .yarnrc.yml
         git update-index --skip-worktree -- .yarnrc.yml
 
+    - name: 'Store the secrets'
+      run: |
+        printf "${{secrets.SIGN_PRIVATE_KEY}}" > /tmp/yarn.key
+        printf "${{secrets.SIGN_PUBLIC_KEY}}" > /tmp/yarn.pem
+
     - name: 'Generate the release commits'
       run: |
         git config user.name "Yarn Bot"
diff --git a/.yarn/versions/manual-1.yml b/.yarn/versions/manual-1.yml
new file mode 100644
index 000000000000..f52a2e42c9b6
--- /dev/null
+++ b/.yarn/versions/manual-1.yml
@@ -0,0 +1,2 @@
+releases:
+  "@yarnpkg/cli": patch
diff --git a/scripts/release/01-release-tags.sh b/scripts/release/01-release-tags.sh
index 3274a78ece5f..43c17a7eeb41 100755
--- a/scripts/release/01-release-tags.sh
+++ b/scripts/release/01-release-tags.sh
@@ -68,6 +68,20 @@ yarn workspaces foreach \
   --verbose --all --topological --no-private "${UPDATE_ARGUMENTS[@]}" \
   run update-local
 
+# Generate the signature
+openssl dgst -sha256 -sign /tmp/yarn.key \
+  -out "$REPO_DIR"/packages/berry-cli/bin/berry.js.sign \
+  "$REPO_DIR"/packages/berry-cli/bin/berry.js
+
+# Let's be sure the public & private keys are correctly setup
+openssl dgst -sha256 -verify /tmp/yarn.pem \
+  -signature "$REPO_DIR"/packages/berry-cli/bin/berry.js.sign \
+  "$REPO_DIR"/packages/berry-cli/bin/berry.js
+
+# We can copy the public key into the release folder
+cp /tmp/yarn.pem \
+  "$REPO_DIR"/packages/berry-cli/bin/berry.pem
+
 # The v1 still uses the "berry.js" file path when using "policies set-version"
 cp "$REPO_DIR"/packages/yarnpkg-cli/bin/yarn.js \
    "$REPO_DIR"/packages/berry-cli/bin/berry.js