diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
index ba9b87759..3e41ce4eb 100644
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
@@ -15,3 +15,30 @@ SRC_URI = " \
 "
 
 TF_A_CONFIG[nand]   = "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''} STM32MP_USB_PROGRAMMER=1"
+
+# Sign TF-A image
+do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'tfa_sign', '', d)}"
+tfa_sign() {
+	export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
+	export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
+
+	unset i
+	for config in ${TF_A_CONFIG}; do
+		i=$(expr $i + 1)
+		# Initialize devicetree list and tf-a basename
+		dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
+		tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
+		tfa_file_type=$(echo ${TF_A_FILES} | cut -d',' -f${i})
+		for dt in ${dt_config}; do
+			for file_type in ${tfa_file_type}; do
+				case "${file_type}" in
+				bl2)
+					TF_A_FILENAME="${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
+					if [ -f "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}" ]; then
+						trustfence-sign-artifact.sh -p "${DIGI_SOM}" -t "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}" "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}_signed"
+					fi
+				esac
+			done # for file_type in ${tfa_file_type}
+		done # for dt in ${dt_config}
+	done # for config in ${TF_A_CONFIG}
+}