diff --git a/bootstrap_sdk b/bootstrap_sdk
index 50a26283eb..805c983a15 100755
--- a/bootstrap_sdk
+++ b/bootstrap_sdk
@@ -87,7 +87,8 @@ if [[ "$STAGES" =~ stage4 ]]; then
     info "SDK ready: $BUILDS/${release_name}"
 
     def_upload_path="${UPLOAD_ROOT}/sdk/${ARCH}/${FLAGS_version}"
-    upload_files "tarball" "${def_upload_path}" "" "$BUILDS/${release_name}" \
+    sign_and_upload_files "tarball" "${def_upload_path}" "" \
+        "$BUILDS/${release_name}" \
         "$BUILDS/${release_name}.CONTENTS" "$BUILDS/${release_name}.DIGESTS"
     upload_files "packages" "${def_upload_path}" "pkgs/" "${BINPKGS}"/*
 fi
diff --git a/build_library/release_util.sh b/build_library/release_util.sh
index 1e08c0a8a3..1afb1b7f90 100644
--- a/build_library/release_util.sh
+++ b/build_library/release_util.sh
@@ -98,6 +98,40 @@ upload_files() {
         "${local_upload_path}/${extra_upload_suffix}"
 }
 
+
+# Identical to upload_files but GPG signs every file if enabled.
+# Usage: sign_and_upload_files "file type" "${UPLOAD_ROOT}/default/path" "" files...
+#  arg1: file type reported via log
+#  arg2: default upload path, overridden by --upload_path
+#  arg3: upload path suffix that can't be overridden, must end in /
+#  argv: remaining args are files or directories to upload
+sign_and_upload_files() {
+    [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
+
+    local msg="$1"
+    local path="$2"
+    local suffix="$3"
+    shift 3
+
+    # Create simple GPG detached signature for all uploads.
+    local sigs=()
+    if [[ -n "${FLAGS_sign}" ]]; then
+        local file
+        for file in "$@"; do
+            if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then
+                continue
+            fi
+
+            rm -f "${file}.sig"
+            gpg --batch --local-user "${FLAGS_sign}" \
+                --detach-sign "${file}" || die "gpg failed"
+            sigs+=( "${file}.sig" )
+        done
+    fi
+
+    upload_files "${msg}" "${path}" "${suffix}" "$@" "${sigs[@]}"
+}
+
 upload_packages() {
     [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
     [[ -n "${BOARD}" ]] || die "board_options.sh must be sourced first"
@@ -160,26 +194,9 @@ upload_image() {
       uploads+=( "${digests}.asc" )
     fi
 
-    # Create simple GPG detached signature for all uploads.
-    local sigs=()
-    if [[ -n "${FLAGS_sign}" ]]; then
-        local file
-        for file in "${uploads[@]}"; do
-            if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then
-                continue
-            fi
-
-            rm -f "${file}.sig"
-            gpg --batch --local-user "${FLAGS_sign}" \
-                --detach-sign "${file}" || die "gpg failed"
-            sigs+=( "${file}.sig" )
-        done
-    fi
-    uploads+=( "${sigs[@]}" )
-
     local log_msg=$(basename "$digests" .DIGESTS)
     local def_upload_path="${UPLOAD_ROOT}/boards/${BOARD}/${COREOS_VERSION_STRING}"
-    upload_files "${log_msg}" "${def_upload_path}" "" "${uploads[@]}"
+    sign_and_upload_files "${log_msg}" "${def_upload_path}" "" "${uploads[@]}"
 }
 
 # Translate the configured upload URL to a download URL