diff --git a/meta-digi-arm/conf/machine/ccimx6qpsbc.conf b/meta-digi-arm/conf/machine/ccimx6qpsbc.conf
index 73be213f8..243e82f50 100644
--- a/meta-digi-arm/conf/machine/ccimx6qpsbc.conf
+++ b/meta-digi-arm/conf/machine/ccimx6qpsbc.conf
@@ -49,8 +49,8 @@ XBEE_TTY ?= "ttymxc4"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6qpsbc1GB.imx \
-    u-boot-ccimx6qpsbc2GB.imx \
+    u-boot##SIGNED##-ccimx6qpsbc1GB.imx \
+    u-boot##SIGNED##-ccimx6qpsbc2GB.imx \
 "
 
 # Default overlayfs_etc mount point and type
diff --git a/meta-digi-arm/conf/machine/ccimx6sbc.conf b/meta-digi-arm/conf/machine/ccimx6sbc.conf
index 232a9c350..d832c16f6 100644
--- a/meta-digi-arm/conf/machine/ccimx6sbc.conf
+++ b/meta-digi-arm/conf/machine/ccimx6sbc.conf
@@ -51,11 +51,11 @@ XBEE_TTY ?= "ttymxc4"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6dlsbc512MB.imx \
-    u-boot-ccimx6dlsbc.imx \
-    u-boot-ccimx6qsbc2GB.imx \
-    u-boot-ccimx6qsbc512MB.imx \
-    u-boot-ccimx6qsbc.imx \
+    u-boot##SIGNED##-ccimx6dlsbc512MB.imx \
+    u-boot##SIGNED##-ccimx6dlsbc.imx \
+    u-boot##SIGNED##-ccimx6qsbc2GB.imx \
+    u-boot##SIGNED##-ccimx6qsbc512MB.imx \
+    u-boot##SIGNED##-ccimx6qsbc.imx \
 "
 
 # Default overlayfs_etc mount point and type
diff --git a/meta-digi-arm/conf/machine/ccimx6ulsbc.conf b/meta-digi-arm/conf/machine/ccimx6ulsbc.conf
index 5daf216bf..7a6f98339 100644
--- a/meta-digi-arm/conf/machine/ccimx6ulsbc.conf
+++ b/meta-digi-arm/conf/machine/ccimx6ulsbc.conf
@@ -36,7 +36,7 @@ XBEE_TTY ?= "ttymxc1"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6ulsbc1GB.imx \
-    u-boot-ccimx6ulsbc512MB.imx \
-    u-boot-ccimx6ulsbc.imx \
+    u-boot##SIGNED##-ccimx6ulsbc1GB.imx \
+    u-boot##SIGNED##-ccimx6ulsbc512MB.imx \
+    u-boot##SIGNED##-ccimx6ulsbc.imx \
 "
diff --git a/meta-digi-arm/conf/machine/ccimx6ulstarter.conf b/meta-digi-arm/conf/machine/ccimx6ulstarter.conf
index 6771aafdd..c89bcb477 100644
--- a/meta-digi-arm/conf/machine/ccimx6ulstarter.conf
+++ b/meta-digi-arm/conf/machine/ccimx6ulstarter.conf
@@ -35,7 +35,7 @@ DEFAULT_IMAGE_NAME ?= "core-image-base"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6ulstarter1GB.imx \
-    u-boot-ccimx6ulstarter512MB.imx \
-    u-boot-ccimx6ulstarter.imx \
+    u-boot##SIGNED##-ccimx6ulstarter1GB.imx \
+    u-boot##SIGNED##-ccimx6ulstarter512MB.imx \
+    u-boot##SIGNED##-ccimx6ulstarter.imx \
 "
diff --git a/meta-digi-arm/conf/machine/ccimx8mm-dvk.conf b/meta-digi-arm/conf/machine/ccimx8mm-dvk.conf
index 4f296ec50..6ea18d62d 100644
--- a/meta-digi-arm/conf/machine/ccimx8mm-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccimx8mm-dvk.conf
@@ -55,7 +55,7 @@ XBEE_SLEEP_RQ_GPIO ?= "mca-gpio@11,gpio1@7"
 XBEE_TTY ?= "ttymxc3"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
-BOOTABLE_ARTIFACTS = "imx-boot-ccimx8mm-dvk.bin"
+BOOTABLE_ARTIFACTS = "imx-boot##SIGNED##-ccimx8mm-dvk.bin"
 
 # Default overlayfs_etc mount point and type
 OVERLAYFS_ETC_MOUNT_POINT ?= "/mnt/data"
diff --git a/meta-digi-arm/conf/machine/ccimx8mn-dvk.conf b/meta-digi-arm/conf/machine/ccimx8mn-dvk.conf
index 3270b8096..5966e7529 100644
--- a/meta-digi-arm/conf/machine/ccimx8mn-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccimx8mn-dvk.conf
@@ -56,7 +56,7 @@ XBEE_SLEEP_RQ_GPIO ?= "mca-gpio@11,gpio1@7"
 XBEE_TTY ?= "ttymxc3"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
-BOOTABLE_ARTIFACTS = "imx-boot-ccimx8mn-dvk.bin"
+BOOTABLE_ARTIFACTS = "imx-boot##SIGNED##-ccimx8mn-dvk.bin"
 
 # Default overlayfs_etc mount point and type
 OVERLAYFS_ETC_MOUNT_POINT ?= "/mnt/data"
diff --git a/meta-digi-arm/conf/machine/ccimx8x-sbc-express.conf b/meta-digi-arm/conf/machine/ccimx8x-sbc-express.conf
index ffd76bad3..6dd90992a 100644
--- a/meta-digi-arm/conf/machine/ccimx8x-sbc-express.conf
+++ b/meta-digi-arm/conf/machine/ccimx8x-sbc-express.conf
@@ -34,6 +34,6 @@ XBEE_TTY ?= "ttyLP0"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx8x-sbc-express-B0.bin \
-    imx-boot-ccimx8x-sbc-express-C0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-express-B0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-express-C0.bin \
 "
diff --git a/meta-digi-arm/conf/machine/ccimx8x-sbc-pro.conf b/meta-digi-arm/conf/machine/ccimx8x-sbc-pro.conf
index fd55f8cb2..b7d2aa33b 100644
--- a/meta-digi-arm/conf/machine/ccimx8x-sbc-pro.conf
+++ b/meta-digi-arm/conf/machine/ccimx8x-sbc-pro.conf
@@ -49,8 +49,8 @@ XBEE_TTY ?= "ttyMCA0"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx8x-sbc-pro-B0.bin \
-    imx-boot-ccimx8x-sbc-pro-C0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-pro-B0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-pro-C0.bin \
 "
 
 # Default overlayfs_etc mount point and type
diff --git a/meta-digi-arm/conf/machine/ccimx91-dvk.conf b/meta-digi-arm/conf/machine/ccimx91-dvk.conf
index 1dbc47989..f0c0ba895 100644
--- a/meta-digi-arm/conf/machine/ccimx91-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccimx91-dvk.conf
@@ -47,7 +47,7 @@ IS_HEADLESS = "true"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx91-dvk.bin \
+    imx-boot##SIGNED##-ccimx91-dvk.bin \
 "
 
 # Add secure enclave
diff --git a/meta-digi-arm/conf/machine/ccimx93-dvk.conf b/meta-digi-arm/conf/machine/ccimx93-dvk.conf
index b139b792d..03de79998 100644
--- a/meta-digi-arm/conf/machine/ccimx93-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccimx93-dvk.conf
@@ -53,6 +53,6 @@ WKS_FILE_DEPENDS:append = " imx-m33-demos"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx93-dvk.bin \
-    imx-boot-ccimx93-dvk-A0.bin \
+    imx-boot##SIGNED##-ccimx93-dvk.bin \
+    imx-boot##SIGNED##-ccimx93-dvk-A0.bin \
 "
diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
index 5cab81e18..f73e80ea6 100644
--- a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
+++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
@@ -118,7 +118,9 @@ do_compile:ccimx8x() {
 
 do_install:ccimx8x () {
 	install -d ${D}/boot
-	for bin in ${BOOTABLE_ARTIFACTS}; do
+	# Remove ##SIGNED## placeholder from variable (signing takes place later)
+	BOOT_ARTIFACTS=$(echo "${BOOTABLE_ARTIFACTS}" | sed -e 's,##SIGNED##,,g')
+	for bin in ${BOOT_ARTIFACTS}; do
 		for target in ${IMXBOOT_TARGETS}; do
 			install -m 0644 ${S}/${bin}-${target} ${D}/boot/
 		done
diff --git a/meta-digi-dey/classes/dey-image-installer.bbclass b/meta-digi-dey/classes/dey-image-installer.bbclass
index c44b5417f..191a0b05a 100644
--- a/meta-digi-dey/classes/dey-image-installer.bbclass
+++ b/meta-digi-dey/classes/dey-image-installer.bbclass
@@ -31,6 +31,50 @@ HAS_USB_DRIVER:ccimx9 = "true"
 HAS_USB_DRIVER:ccmp1 = "true"
 HAS_USB_DRIVER:ccmp2 = "true"
 
+BOOTLOADER_SIGNED_STRING ?= "-signed"
+BOOTLOADER_ENCRYPTED_STRING ?= "-encrypted"
+BOOTLOADER_SIGNED_USB_STRING ?= "-usb-signed"
+
+curate_bootloader_artifacts() {
+	for artifact in ${BOOTABLE_ARTIFACTS}; do
+		# NXP platforms may have a ##SIGNED## placeholder to replace
+		if [ "${DEY_SOC_VENDOR}" = "NXP" ] && echo "${artifact}" | grep -q -e "##SIGNED##"; then
+			if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+				if [ "${DIGI_SOM}" = "ccimx6ul" ]; then
+					if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
+						# Encrypted bootloader
+						curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
+						CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+					else
+						# Signed, non-encrypted bootloader
+						curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_STRING},")
+						CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+					fi
+					# Signed, non-encrypted bootloader for USB recovery
+					curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_USB_STRING},")
+					CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+				else
+					if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
+						# Encrypted bootloader
+						curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
+						CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+					fi
+					# Signed, non-encrypted bootloader for USB recovery
+					curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_STRING},")
+					CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+				fi
+			else
+				# Non-signed bootloader
+				curated_artifact=$(echo "${artifact}" | sed 's,##SIGNED##,,')
+				CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+			fi
+		else
+			CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${artifact}"
+		fi
+	done
+	export CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS}"
+}
+
 generate_installer_zip () {
 	# Get list of files to pack
 	INSTALLER_FILELIST="${DEPLOY_DIR_IMAGE}/install_linux_fw_sd.scr \
@@ -53,7 +97,10 @@ generate_installer_zip () {
 			INSTALLER_FILELIST="${INSTALLER_FILELIST} ${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.${ext}"
 		fi
 	done
-	for artifact in ${BOOTABLE_ARTIFACTS}; do
+
+	# Add bootable artifacts to installer
+	curate_bootloader_artifacts
+	for artifact in ${CURATED_BOOTABLE_ARTIFACTS}; do
 		if readlink -e "${DEPLOY_DIR_IMAGE}/${artifact}" >/dev/null; then
 			INSTALLER_FILELIST="${INSTALLER_FILELIST} ${DEPLOY_DIR_IMAGE}/${artifact}"
 		fi