diff --git a/eng/pipelines/templates/jobs/vmr-build.yml b/eng/pipelines/templates/jobs/vmr-build.yml
index 24f93dfcf380..ea01e66d2ab5 100644
--- a/eng/pipelines/templates/jobs/vmr-build.yml
+++ b/eng/pipelines/templates/jobs/vmr-build.yml
@@ -45,6 +45,11 @@ parameters:
   type: boolean
   default: false
 
+- name: sign
+  displayName: True when build output should be signed
+  type: boolean
+  default: false
+
 # Overrides the rid that is produced by the build.
 - name: targetRid
   type: string
@@ -276,16 +281,14 @@ jobs:
         versionSpec: 20.x
 
     - script: |
+        set extraBuildArguments=
+        if /I '${{ parameters.sign }}'=='True' set extraBuildArguments=%extraBuildArguments% -sign
+        if /I '${{ parameters.useDevVersions }}'=='True' set extraBuildArguments=%extraBuildArguments% -dev
         set extraBuildProperties=
         if not [${{ parameters.buildPass }}]==[] set extraBuildProperties=%extraBuildProperties% /p:DotNetBuildPass=${{ parameters.buildPass }}
-        call build.cmd -ci -cleanWhileBuilding -prepareMachine %devArgument% /p:TargetOS=${{ parameters.targetOS }} /p:TargetArchitecture=${{ parameters.targetArchitecture }} /p:VerticalName=$(Agent.JobName) %extraBuildProperties% ${{ parameters.extraProperties }}
+        call build.cmd -ci -cleanWhileBuilding -prepareMachine %extraBuildArguments% /p:TargetOS=${{ parameters.targetOS }} /p:TargetArchitecture=${{ parameters.targetArchitecture }} /p:VerticalName=$(Agent.JobName) %extraBuildProperties% ${{ parameters.extraProperties }}
       displayName: Build
       workingDirectory: ${{ variables.sourcesPath }}
-      env:
-        ${{ if eq(parameters.useDevVersions, 'True') }}:
-          devArgument: -dev
-        ${{ else }}:
-          devArgument: ''
 
     - ${{ if eq(parameters.runTests, 'True') }}:
       - script: |
@@ -360,6 +363,10 @@ jobs:
           customBuildArgs="$customBuildArgs --dev"
         fi
 
+        if [[ '${{ parameters.sign }}' == 'True' ]]; then
+          customBuildArgs="$customBuildArgs --sign"
+        fi
+
         if [[ -n "${{ parameters.targetRid }}" ]]; then
           customBuildArgs="$customBuildArgs --target-rid ${{ parameters.targetRid }}"
         fi
diff --git a/eng/pipelines/templates/stages/vmr-build.yml b/eng/pipelines/templates/stages/vmr-build.yml
index 667fec5e02eb..2e8d774c8ee1 100644
--- a/eng/pipelines/templates/stages/vmr-build.yml
+++ b/eng/pipelines/templates/stages/vmr-build.yml
@@ -370,6 +370,7 @@ stages:
         targetArchitecture: x64
         useDevVersions: true # Use dev versions for CI validation of the experience. If we decide to ship assets from this leg, then we should remove this option.
         runTests: false # Temporarily do not run tests. The nuget comparison fails for some non-obvious reason and needs further investigation. Mostly, I'm not sure why it ever passed. https://github.com/dotnet/sdk/issues/42920
+        sign: true
 
     - template: ../jobs/vmr-build.yml
       parameters:
@@ -381,6 +382,7 @@ stages:
         container: ${{ variables.ubuntuContainer }}
         targetOS: linux
         targetArchitecture: x64
+        sign: true
 
     - template: ../jobs/vmr-build.yml
       parameters:
@@ -391,6 +393,7 @@ stages:
         pool: ${{ parameters.pool_Windows }}
         targetOS: windows
         targetArchitecture: x64
+        sign: true
 
     - template: ../jobs/vmr-build.yml
       parameters:
@@ -403,6 +406,7 @@ stages:
         targetOS: android
         targetArchitecture: arm64
         runTests: false
+        sign: true
 
     - template: ../jobs/vmr-build.yml
       parameters:
@@ -416,6 +420,7 @@ stages:
         targetOS: browser
         targetArchitecture: wasm
         runTests: false
+        sign: true
 
     - template: ../jobs/vmr-build.yml
       parameters:
@@ -427,6 +432,7 @@ stages:
         targetOS: iossimulator
         targetArchitecture: arm64
         runTests: false
+        sign: true
 
     ### Additional jobs for full build ###
     - ${{ if in(parameters.scope, 'full') }}:
diff --git a/src/SourceBuild/content/build.sh b/src/SourceBuild/content/build.sh
index fc4bff0f7396..34d5cc8483ea 100755
--- a/src/SourceBuild/content/build.sh
+++ b/src/SourceBuild/content/build.sh
@@ -21,6 +21,7 @@ usage()
   echo "  --clean                         Clean the solution"
   echo "  --help                          Print help and exit (short: -h)"
   echo "  --test                          Run tests (short: -t)"
+  echo "  --sign                          Sign the build."
   echo ""
 
   echo "Source-only settings:"
@@ -128,6 +129,14 @@ while [[ $# > 0 ]]; do
     -test|-t)
       test=true
       ;;
+    -sign)
+      properties+=( "/p:Sign=true" )
+      # Force dry run signing for now. In typical VMR builds, the official build ID is set for each repo, which
+      # tells the signing infra that it should expect to see signed bits. This won't be the case in CI builds,
+      # and won't be the case for official builds until more of the real signing infra is functional.
+      # https://github.com/dotnet/source-build/issues/4678
+      properties+=( "/p:ForceDryRunSigning=true" )
+      ;;
 
     # Source-only settings
     -source-only|-source-build|-so|-sb)
diff --git a/src/SourceBuild/content/eng/build.ps1 b/src/SourceBuild/content/eng/build.ps1
index d1a6924e10e5..9097819a015f 100644
--- a/src/SourceBuild/content/eng/build.ps1
+++ b/src/SourceBuild/content/eng/build.ps1
@@ -7,6 +7,7 @@ Param(
 
   # Actions
   [switch]$clean,
+  [switch]$sign,
   [switch][Alias('h')]$help,
   [switch][Alias('t')]$test,
 
@@ -29,6 +30,7 @@ function Get-Usage() {
 
   Write-Host "Actions:"
   Write-Host "  -clean                  Clean the solution"
+  Write-Host "  -sign                   Sign the build."
   Write-Host "  -help                   Print help and exit (short: -h)"
   Write-Host "  -test                   Run tests (repo tests omitted by default) (short: -t)"
   Write-Host ""
@@ -64,6 +66,15 @@ if ($test) {
   $env:MSBUILDENSURESTDOUTFORTASKPROCESSES="1"
 }
 
+if ($sign) {
+  $arguments += "/p:Sign=true"
+  # Force dry run signing for now. In typical VMR builds, the official build ID is set for each repo, which
+  # tells the signing infra that it should expect to see signed bits. This won't be the case in CI builds,
+  # and won't be the case for official builds until more of the real signing infra is functional.
+  # https://github.com/dotnet/source-build/issues/4678
+  $arguments +=  "/p:ForceDryRunSigning=true"
+}
+
 if ($buildRepoTests) {
   $arguments += "/p:DotNetBuildTests=true"
 }
diff --git a/src/SourceBuild/content/repo-projects/Directory.Build.props b/src/SourceBuild/content/repo-projects/Directory.Build.props
index e9f13b43afb2..07b08c7eff8a 100644
--- a/src/SourceBuild/content/repo-projects/Directory.Build.props
+++ b/src/SourceBuild/content/repo-projects/Directory.Build.props
@@ -70,6 +70,7 @@
     <BuildActions>$(BuildActions) $(FlagParameterPrefix)build</BuildActions>
     <BuildActions>$(BuildActions) $(FlagParameterPrefix)pack</BuildActions>
     <BuildActions>$(BuildActions) $(FlagParameterPrefix)publish</BuildActions>
+    <BuildActions Condition="'$(Sign)' == 'true'">$(BuildActions) $(FlagParameterPrefix)sign</BuildActions>
 
     <!-- TODO: Remove the DotNetBuildSourceOnly condition when the default build behavior changes to dev -->
     <BuildArgs Condition="'$(ContinuousIntegrationBuild)' == 'true' or '$(DotNetBuildSourceOnly)' == 'true'">$(FlagParameterPrefix)ci</BuildArgs>
@@ -93,6 +94,7 @@
     <BuildArgs>$(BuildArgs) /p:SourceBuiltAssetsDir=$(ArtifactsAssetsDir)</BuildArgs>
     <BuildArgs>$(BuildArgs) /p:SourceBuiltAssetManifestsDir=$(RepoAssetManifestsDir)</BuildArgs>
     <BuildArgs Condition="'$(OfficialBuildId)' != ''">$(BuildArgs) /p:OfficialBuildId=$(OfficialBuildId)</BuildArgs>
+    <BuildArgs Condition="'$(ForceDryRunSigning)' != ''">$(BuildArgs) /p:ForceDryRunSigning=$(ForceDryRunSigning)</BuildArgs>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(DotNetBuildSourceOnly)' == 'true'">