diff --git a/build.sh b/build.sh
index 2febdfa..25ecf29 100644
--- a/build.sh
+++ b/build.sh
@@ -22,7 +22,25 @@ else
     DATA="${ESP}"
 fi
 
-PGP_PUB='BADA5579'
+PGP_PUB='312ACDF9BB03C81ADE95B9C09C7613450C80C24F'
+function sign {
+    if [ -d "${1}" ] ; then
+        local file
+        local files
+        readarray -t files <<< "$(find "${1}" -type f | sort)"
+        for file in "${files[@]}" ; do
+            sign "${file}"
+        done
+    fi
+    if [ -f "${1}" ] ; then
+        echo "${1}"
+        gpg \
+        --quiet \
+        --default-key "${PGP_PUB}!" \
+        --detach-sign \
+        "${1}"
+    fi
+}
 
 NAME="$(basename "${FILE}")"
 PREVIOUS="${PWD}"
@@ -129,7 +147,7 @@ fi
 mkdir "${BIOS_DIRECTORY}"
 
 cp '/usr/lib/grub/i386-pc/boot.img' "${BIOS_DIRECTORY}"
-# gpg --detach-sign "${BIOS_DIRECTORY}/boot.img"
+sign "${BIOS_DIRECTORY}/boot.img"
 
 grub-mkimage \
 --compress "${COMPRESSION}" \
@@ -138,7 +156,7 @@ grub-mkimage \
 --output "${BIOS_FILE}" \
 --pubkey "${MEMDISK_PUB}" \
 "${MODULES[@]}" "${MODULES_BIOS[@]}"
-# gpg --detach-sign "${BIOS_FILE}"
+sign "${BIOS_FILE}"
 
 echo -n '#! /usr/bin/env bash
 FILE="$(realpath "${BASH_SOURCE[0]}")"
@@ -148,7 +166,7 @@ DIRECTORY="$(dirname "${FILE}")"
 --directory "${DIRECTORY}" \
 "${1}"
 ' >> "${BIOS_SETUP}"
-# gpg --detach-sign "${BIOS_SETUP}"
+sign "${BIOS_SETUP}"
 
 # grub ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
 
@@ -201,6 +219,8 @@ if [ \"\${cmdroot}\" != \"\${root}\" ] ; then
     fi
 fi
 unset cmdroot
+check_signatures='enforce'
+trust --skip-sig \"\${prefix}/grub.pub\"
 
 function set_init {
     data_uuid='${DATA}'
@@ -218,12 +238,7 @@ function set_init {
     unset file
 }
 
-function normal_init {
-    check_signatures='no'
-    set_init
-}
-
-normal_init
+set_init
 
 source \"\${live}/main.sh\"
 
@@ -306,11 +321,9 @@ cd "${DIRECTORY}"
 
 # sign ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
 
-readarray -t files <<< "$(find "${GRUB_ROOT}" -type f | sort)"
-for file in "${files[@]}" ; do
-    echo "${file}"
-    # gpg --detach-sign "${file}"
-done
+sign "${ROOT}/${PROJECT}/live"
+sign "${GRUB_ROOT}"
+sign "${UEFI_DIRECTORY}"
 
 # display ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
 
diff --git a/live/main.sh b/live/main.sh
index 6362e1e..b68f709 100644
--- a/live/main.sh
+++ b/live/main.sh
@@ -12,4 +12,6 @@ menu_split
 menuentry 'bash / stable / tui' { debsquash '/boot/bash/stable/tui' }
 menuentry 'bash / stable / gui' { debsquash '/boot/bash/stable/gui' }
 menuentry 'bash / latest / tui' { debsquash '/boot/bash/latest/tui' }
+menuentry 'check_signatures = enforce' { check_signatures='enforce' }
+menuentry 'check_signatures = no' { check_signatures='no' }
 menuentry 'bash / latest / gui' { debsquash '/boot/bash/latest/gui' }