diff --git a/policy/centos7/scripts/sign b/hack/centos7_sign
similarity index 94%
rename from policy/centos7/scripts/sign
rename to hack/centos7_sign
index 8453718..38ad845 100755
--- a/policy/centos7/scripts/sign
+++ b/hack/centos7_sign
@@ -1,9 +1,6 @@
 #!/bin/bash
 set -e -x
 
-yum install -y rpm-sign expect
-
-cd $(dirname $0)/..
 . ./scripts/version
 
 cat <<\EOF >~/.rpmmacros 
diff --git a/policy/microos/scripts/sign b/hack/sign
similarity index 98%
rename from policy/microos/scripts/sign
rename to hack/sign
index f3225da..9fa6ef3 100755
--- a/policy/microos/scripts/sign
+++ b/hack/sign
@@ -6,9 +6,6 @@ SIGN_KEY_EMAIL="ci@rancher.com"
 
 export GPG_TTY=$(tty)
 
-zypper install -y rpm
-
-cd $(dirname $0)/..
 . ./scripts/version
 
 if [ "${DRY_RUN}" = "--dry-run" ]
@@ -68,4 +65,3 @@ rpmsign --addsign dist/**/rancher-*.rpm \
 
 echo "Verifying RPMs signatures"
 rpm --checksig --verbose dist/**/rancher-*.rpm
-
diff --git a/policy/centos8/scripts/sign b/policy/centos8/scripts/sign
deleted file mode 100755
index 2cf8568..0000000
--- a/policy/centos8/scripts/sign
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/bash
-set -e
-
-DRY_RUN=$1
-SIGN_KEY_EMAIL="ci@rancher.com"
-
-export GPG_TTY=$(tty)
-
-yum install -y rpm-sign
-
-cd $(dirname $0)/..
-. ./scripts/version
-
-if [ "${DRY_RUN}" = "--dry-run" ]
-then
-	echo "!! Executing in dry-run mode"
-	echo "!! Generating a temporary disposable GPG key to test the signing"
-	echo "!! process (this is only useful when testing PRs)"
-
-	SIGN_KEY_EMAIL="disposable-ci-test-key"
-	TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20)
-	RPM_CHANNEL="testing"
-
-	gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048
-
-	TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL")
-fi
-
-case "$RPM_CHANNEL" in
-  "testing")
-    export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
-    if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then
-      echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
-      exit 1
-    fi
-    echo "Importing GPG private key TESTING_PRIVATE_KEY"
-    gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY"
-    ;;
-  "production")
-    if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then
-      echo "PRIVATE_KEY not defined, failing rpm sign"
-      exit 1
-    fi
-    echo "Importing GPG private key PRIVATE_KEY"
-    gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY"
-    ;;
-  *)
-    echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]"
-    exit 1
-    ;;
-esac
-
-gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL"
-rpm --import "$SIGN_KEY_EMAIL"
-
-echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY"
-rpmsign --addsign dist/**/rancher-*.rpm \
-        --define "_gpg_name ${SIGN_KEY_EMAIL}" \
-        --define "_gpgbin /usr/bin/gpg" \
-        --define "__gpg_sign_cmd %{__gpg} gpg \
-                  --batch \
-                  --no-armor \
-                  --pinentry-mode loopback \
-                  --passphrase ${PRIVATE_KEY_PASS_PHRASE} \
-                  -u %{_gpg_name} \
-                  -sbo %{__signature_filename} \
-                  --digest-algo sha256 %{__plaintext_filename}"
-
-echo "Verifying RPMs signatures"
-rpm --checksig --verbose dist/**/rancher-*.rpm
-
diff --git a/policy/centos9/scripts/sign b/policy/centos9/scripts/sign
deleted file mode 100755
index 2cf8568..0000000
--- a/policy/centos9/scripts/sign
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/bash
-set -e
-
-DRY_RUN=$1
-SIGN_KEY_EMAIL="ci@rancher.com"
-
-export GPG_TTY=$(tty)
-
-yum install -y rpm-sign
-
-cd $(dirname $0)/..
-. ./scripts/version
-
-if [ "${DRY_RUN}" = "--dry-run" ]
-then
-	echo "!! Executing in dry-run mode"
-	echo "!! Generating a temporary disposable GPG key to test the signing"
-	echo "!! process (this is only useful when testing PRs)"
-
-	SIGN_KEY_EMAIL="disposable-ci-test-key"
-	TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20)
-	RPM_CHANNEL="testing"
-
-	gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048
-
-	TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL")
-fi
-
-case "$RPM_CHANNEL" in
-  "testing")
-    export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
-    if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then
-      echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
-      exit 1
-    fi
-    echo "Importing GPG private key TESTING_PRIVATE_KEY"
-    gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY"
-    ;;
-  "production")
-    if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then
-      echo "PRIVATE_KEY not defined, failing rpm sign"
-      exit 1
-    fi
-    echo "Importing GPG private key PRIVATE_KEY"
-    gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY"
-    ;;
-  *)
-    echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]"
-    exit 1
-    ;;
-esac
-
-gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL"
-rpm --import "$SIGN_KEY_EMAIL"
-
-echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY"
-rpmsign --addsign dist/**/rancher-*.rpm \
-        --define "_gpg_name ${SIGN_KEY_EMAIL}" \
-        --define "_gpgbin /usr/bin/gpg" \
-        --define "__gpg_sign_cmd %{__gpg} gpg \
-                  --batch \
-                  --no-armor \
-                  --pinentry-mode loopback \
-                  --passphrase ${PRIVATE_KEY_PASS_PHRASE} \
-                  -u %{_gpg_name} \
-                  -sbo %{__signature_filename} \
-                  --digest-algo sha256 %{__plaintext_filename}"
-
-echo "Verifying RPMs signatures"
-rpm --checksig --verbose dist/**/rancher-*.rpm
-
diff --git a/policy/fedora37/scripts/sign b/policy/fedora37/scripts/sign
deleted file mode 100755
index 33db6cb..0000000
--- a/policy/fedora37/scripts/sign
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/bin/bash
-set -e
-
-DRY_RUN=$1
-SIGN_KEY_EMAIL="ci@rancher.com"
-
-export GPG_TTY=$(tty)
-
-dnf install -y rpm-sign
-
-cd $(dirname $0)/..
-. ./scripts/version
-
-if [ "${DRY_RUN}" = "--dry-run" ]
-then
-  echo "!! Executing in dry-run mode"
-  echo "!! Generating a temporary disposable GPG key to test the signing"
-  echo "!! process (this is only useful when testing PRs)"
-
-  SIGN_KEY_EMAIL="disposable-ci-test-key"
-  TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20)
-  RPM_CHANNEL="testing"
-
-  gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048
-
-  TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL")
-fi
-
-case "$RPM_CHANNEL" in
-  "testing")
-    export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
-    if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then
-      echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
-      exit 1
-    fi
-    echo "Importing GPG private key TESTING_PRIVATE_KEY"
-    gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY"
-    ;;
-  "production")
-    if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then
-      echo "PRIVATE_KEY not defined, failing rpm sign"
-      exit 1
-    fi
-    echo "Importing GPG private key PRIVATE_KEY"
-    gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY"
-    ;;
-  *)
-    echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]"
-    exit 1
-    ;;
-esac
-
-gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL"
-rpm --import "$SIGN_KEY_EMAIL"
-
-echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY"
-rpmsign --addsign dist/**/rancher-*.rpm \
-        --define "_gpg_name ${SIGN_KEY_EMAIL}" \
-        --define "_gpgbin /usr/bin/gpg" \
-        --define "__gpg_sign_cmd %{__gpg} gpg \
-                  --batch \
-                  --no-armor \
-                  --pinentry-mode loopback \
-                  --passphrase ${PRIVATE_KEY_PASS_PHRASE} \
-                  -u %{_gpg_name} \
-                  -sbo %{__signature_filename} \
-                  --digest-algo sha256 %{__plaintext_filename}"
-
-echo "Verifying RPMs signatures"
-rpm --checksig --verbose dist/**/rancher-*.rpm
\ No newline at end of file