diff --git a/modules/cli/src/main/scala/scala/cli/commands/publish/Publish.scala b/modules/cli/src/main/scala/scala/cli/commands/publish/Publish.scala
index 34c2e72a65..90a8cd4609 100644
--- a/modules/cli/src/main/scala/scala/cli/commands/publish/Publish.scala
+++ b/modules/cli/src/main/scala/scala/cli/commands/publish/Publish.scala
@@ -52,6 +52,7 @@ import scala.cli.config.{ConfigDb, Keys, PublishCredentials}
 import scala.cli.errors.{
   FailedToSignFileError,
   MalformedChecksumsError,
+  MissingConfigEntryError,
   MissingPublishOptionError,
   UploadError
 }
@@ -824,6 +825,7 @@ object Publish extends ScalaCommand[PublishOptions] with BuildCommandHelpers {
       if (repoParams.supportsSig)
         if (publishOptions.contextual(isCi).secretKey.isDefined) Some(PSigner.BouncyCastle)
         else if (publishOptions.contextual(isCi).gpgSignatureId.isDefined) Some(PSigner.Gpg)
+        else if (repoParams.shouldSign) Some(PSigner.BouncyCastle)
         else None
       else None
     }
@@ -838,50 +840,69 @@ object Publish extends ScalaCommand[PublishOptions] with BuildCommandHelpers {
           case None => NopSigner
         }
       case Some(PSigner.BouncyCastle) =>
-        publishOptions.contextual(isCi).secretKey match {
+        val getLauncher: Supplier[Array[String]] = { () =>
+          val archiveCache = builds.headOption
+            .map(_.options.archiveCache)
+            .getOrElse(ArchiveCache())
+          PgpExternalCommand.launcher(
+            archiveCache,
+            None,
+            logger,
+            () => builds.head.options.javaHome().value.javaCommand
+          ) match {
+            case Left(e)       => throw new Exception(e)
+            case Right(binary) => binary.command.toArray
+          }
+        }
+        val secretKeyDetailsOpt = publishOptions.contextual(isCi).secretKey match {
           case Some(secretKey0) =>
-            val getLauncher: Supplier[Array[String]] = { () =>
-              val archiveCache = builds.headOption
-                .map(_.options.archiveCache)
-                .getOrElse(ArchiveCache())
-              PgpExternalCommand.launcher(
-                archiveCache,
-                None,
-                logger,
-                () => builds.head.options.javaHome().value.javaCommand
-              ) match {
-                case Left(e)       => throw new Exception(e)
-                case Right(binary) => binary.command.toArray
-              }
+            val secretKey = secretKey0.get(configDb()).orExit(logger).toCliSigning
+            val secretKeyPassword = publishOptions
+              .contextual(isCi)
+              .secretKeyPassword
+              .orNull
+              .get(configDb())
+              .orExit(logger)
+              .toCliSigning
+            Some((secretKey, secretKeyPassword))
+          case None =>
+            configDb().get(Keys.pgpSecretKey).wrapConfigException.orExit(logger) match {
+              case Some(secretKey) =>
+                val secretKeyPassword =
+                  configDb().get(Keys.pgpSecretKeyPassword).wrapConfigException
+                    .flatMap {
+                      case None =>
+                        Left(new MissingConfigEntryError(Keys.pgpSecretKeyPassword.fullName))
+                      case Some(p) => Right(p)
+                    }
+                    .orExit(logger)
+                Some((secretKey.toCliSigning, secretKeyPassword.toCliSigning))
+              case None =>
+                None
             }
-            val secretKey = secretKey0.get(configDb()).orExit(logger)
+        }
+        secretKeyDetailsOpt match {
+          case Some((secretKey, secretKeyPassword)) =>
             if (forceSigningBinary)
               (new scala.cli.internal.BouncycastleSignerMakerSubst).get(
-                publishOptions
-                  .contextual(isCi)
-                  .secretKeyPassword
-                  .orNull
-                  .get(configDb())
-                  .orExit(logger)
-                  .toCliSigning,
-                secretKey.toCliSigning,
+                secretKeyPassword,
+                secretKey,
                 getLauncher,
                 logger
               )
             else
               (new BouncycastleSignerMaker).get(
-                publishOptions
-                  .contextual(isCi)
-                  .secretKeyPassword
-                  .orNull
-                  .get(configDb())
-                  .orExit(logger)
-                  .toCliSigning,
-                secretKey.toCliSigning,
+                secretKeyPassword,
+                secretKey,
                 getLauncher,
                 logger
               )
-          case None => NopSigner
+          case None =>
+            if (repoParams.shouldSign)
+              logger.diagnostic(
+                "PGP signatures are disabled, while these are recommended for this repository."
+              )
+            NopSigner
         }
       case Some(PSigner.Nop) => NopSigner
       case None              => NopSigner
diff --git a/modules/cli/src/main/scala/scala/cli/commands/publish/RepoParams.scala b/modules/cli/src/main/scala/scala/cli/commands/publish/RepoParams.scala
index 3ff6474875..5f27880b6d 100644
--- a/modules/cli/src/main/scala/scala/cli/commands/publish/RepoParams.scala
+++ b/modules/cli/src/main/scala/scala/cli/commands/publish/RepoParams.scala
@@ -20,6 +20,7 @@ final case class RepoParams(
   defaultParallelUpload: Boolean,
   supportsSig: Boolean,
   acceptsChecksums: Boolean,
+  shouldSign: Boolean,
   shouldAuthenticate: Boolean
 ) {
   def withAuth(auth: Authentication): RepoParams =
@@ -87,6 +88,7 @@ object RepoParams {
           true,
           true,
           true,
+          false,
           false
         )
     }
@@ -112,6 +114,7 @@ object RepoParams {
       true,
       true,
       true,
+      true,
       true
     )
   }
@@ -125,6 +128,7 @@ object RepoParams {
       false,
       false,
       false,
+      false,
       true
     )
 
@@ -151,6 +155,7 @@ object RepoParams {
       true,
       true,
       true,
+      false,
       false
     )
   }