diff --git a/.github/workflows/go-build.yml b/.github/workflows/go-build.yml
index 2781356..28c0aaf 100644
--- a/.github/workflows/go-build.yml
+++ b/.github/workflows/go-build.yml
@@ -2,6 +2,11 @@ name: generic-go-versionbuild
 
 on:
   workflow_call:
+    secrets:
+      GPG_PRIVATE_KEY:
+        required: true
+      GPG_PASSPHRASE:
+        required: true
     inputs:
       service:
         required: true
@@ -165,11 +170,24 @@ jobs:
           merge-multiple: true
 
       - name: package with nfpm
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_KEY_ID: mail@binarycodes.io
         run: |
           mkdir -p dist
           nfpm pkg --packager archlinux --config nfpm.yaml --target dist/
           nfpm pkg --packager deb --config nfpm.yaml --target dist/
 
+          # sign the package for arch linux
+          test -n "$GPG_PRIVATE_KEY" || { echo "GPG_PRIVATE_KEY is empty"; exit 1; }
+          printf '%s' "$GPG_PRIVATE_KEY" | gpg --batch --import
+          gpg --batch --list-secret-keys --keyid-format LONG
+
+          FPR="$(gpg --batch --list-secret-keys --with-colons | awk -F: '$1=="fpr"{print $10; exit}')"
+
+          gpg --batch --yes --local-user "$FPR" --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --detach-sign dist/*.pkg.tar.zst
+
       - name: upload build artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/go-ssh-keysign-workflow.yml b/.github/workflows/go-ssh-keysign-workflow.yml
index 41c0b9b..3a77f65 100644
--- a/.github/workflows/go-ssh-keysign-workflow.yml
+++ b/.github/workflows/go-ssh-keysign-workflow.yml
@@ -24,3 +24,6 @@ jobs:
     with:
       service: go-ssh-keysign
       artifactVersion: ${{ needs.set-version.outputs.short_sha }}
+    secrets:
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.gitignore b/.gitignore
index 3a92b43..e19a6b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,6 @@
 **/node_modules/
 **/*ca_key*
 src/**
+
+# ignore test nfpm packages
+dist/**
diff --git a/nfpm.yaml b/nfpm.yaml
index c62ba8a..3afa1af 100644
--- a/nfpm.yaml
+++ b/nfpm.yaml
@@ -1,11 +1,25 @@
 name: ssh-keysign
 arch: amd64
 platform: linux
-version: 0.0.7
+version: 0.0.8
 section: default
 priority: extra
 maintainer: Sujoy Das <me@binarycodes.io>
 description: Generate short lived, oauth verified, SSH certficates on the fly
+license: GPL v3.0
+homepage: https://github.com/binarycodes/ssh-key-signer
+
+archlinux:
+  packager: Sujoy Das <me@binarycodes.io>
+  pkgbase: ssh-keysign
+
 contents:
   - src: ./go-ssh-keysign/bin/ssh-keysign-linux-amd64
-    dst: /usr/local/bin/ssh-keysign
+    dst: /usr/bin/ssh-keysign
+    file_info:
+      mode: 0755
+      owner: root
+      group: root
+
+  - src: ./LICENSE
+    dst: /usr/share/licenses/ssh-keysign/LICENSE