diff --git a/.common-ci.yml b/.common-ci.yml
index c8acaf6..7e60927 100644
--- a/.common-ci.yml
+++ b/.common-ci.yml
@@ -37,6 +37,7 @@ stages:
   - e2e_tests
   - aws_kube_clean
   - release
+  - sign
 
 # Define the distribution targets
 .dist-ubuntu22.04:
diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml
index c7d04bf..2748d75 100644
--- a/.nvidia-ci.yml
+++ b/.nvidia-ci.yml
@@ -233,3 +233,60 @@ release:ngc-nbody-ubuntu22.04:
     - .release:ngc
     - .dist-ubuntu22.04
     - .sample-nbody
+
+# Define the external image signing steps for NGC
+# Download the ngc cli binary for use in the sign steps
+.ngccli-setup:
+  before_script:
+    - apt-get update && apt-get install -y curl unzip jq
+    - |
+      if [ -z "${NGCCLI_VERSION}" ]; then
+        NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
+        # Extract the latest version from the JSON data using jq
+        export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
+      fi
+      echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
+    - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
+    - unzip ngccli_linux.zip
+    - chmod u+x ngc-cli/ngc
+
+# .sign forms the base of the deployment jobs which signs images in the CI registry.
+# This is extended with the image name and version to be deployed.
+.sign:ngc:
+  image: ubuntu:latest
+  stage: sign
+  rules:
+    - if: $CI_COMMIT_TAG
+  variables:
+    NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
+    IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
+  retry:
+    max: 2
+  before_script:
+    - !reference [.ngccli-setup, before_script]
+    # We ensure that the IMAGE_NAME and IMAGE_TAG is set
+    - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
+    - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
+  script:
+    - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
+    - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia
+
+sign:ngc:
+  extends:
+    - .sign:ngc
+  parallel:
+    matrix:
+    - SIGN_JOB_NAME: ["vectoradd" ]
+      DIST: ["", "CI_COMMIT_TAG", "ubuntu22.04", "ubi8"]
+    - SIGN_JOB_NAME: ["nbody", "devicequery"]
+      DIST: ["", "CI_COMMIT_TAG", "ubuntu22.04"]
+  rules:
+    - if: $CI_COMMIT_TAG && '$DIST == ""'
+      variables:
+        IMAGE_TAG: "$SIGN_JOB_NAME"
+    - if: '$DIST == "CI_COMMIT_TAG"'
+      variables:
+        IMAGE_TAG: "$SIGN_JOB_NAME-${CI_COMMIT_TAG}"
+    - if: '$DIST != "" && $DIST != "CI_COMMIT_TAG"'
+      variables:
+        IMAGE_TAG: "$SIGN_JOB_NAME-${CI_COMMIT_TAG}-${DIST}"