diff --git a/.goreleaser.yml b/.goreleaser.yml
index 6e77d582..9d09e407 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -37,9 +37,7 @@ builds:
       - arm64
     hooks:
       post:
-        - env:
-            - GON_SOURCE={{ .Path }}
-          cmd: gon -log-level=debug gon.hcl
+        - cmd: bash script/gon.sh "{{ .Path }}"
           output: true
 
 checksum:
@@ -53,12 +51,12 @@ signs:
     ids:
       - hcloud-build
       - hcloud-build-darwin
-    args: 
-    - --batch
-    - --local-user=github-bot@hetzner-cloud.de
-    - --pinentry-mode=loopback
-    - --output=${signature}
-    - --detach-sign=${artifact}
+    args:
+      - --batch
+      - --local-user=github-bot@hetzner-cloud.de
+      - --pinentry-mode=loopback
+      - --output=${signature}
+      - --detach-sign=${artifact}
 
 archives:
   - id: hcloud-archive
diff --git a/gon.hcl b/gon.hcl
deleted file mode 100644
index 38c3bd73..00000000
--- a/gon.hcl
+++ /dev/null
@@ -1,11 +0,0 @@
-source = ["@env:GON_SOURCE"]
-bundle_id = "cloud.hetzner.cli"
-
-apple_id {
-  username = "integrations@hetzner-cloud.de"
-  password = "@env:HC_APPLE_DEVELOPER_PASSWORD"
-}
-
-sign {
-  application_identity = "Developer ID Application: Hetzner Cloud GmbH (4PM38G6W5R)"
-}
diff --git a/script/gon.sh b/script/gon.sh
new file mode 100644
index 00000000..2e3194e8
--- /dev/null
+++ b/script/gon.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -eu
+
+# Only sign on releasing
+if [[ "${GITHUB_REF_TYPE:-}" != "tag" ]]; then
+  exit 0
+fi
+
+BINARY_PATH="$1"
+
+GON_CONFIG=$(mktemp gon_XXXX.json)
+cleanup() {
+  rm -f "$GON_CONFIG"
+}
+trap cleanup EXIT
+
+printf '{
+  "source": ["%s"],
+  "bundle_id": "cloud.hetzner.cli",
+  "apple_id": {
+    "username": "integrations@hetzner-cloud.de",
+    "password": "@env:HC_APPLE_DEVELOPER_PASSWORD"
+  },
+  "sign": {
+    "application_identity": "Developer ID Application: Hetzner Cloud GmbH (4PM38G6W5R)"
+  }
+}' "$BINARY_PATH" > "$GON_CONFIG"
+
+gon -log-level=debug "$GON_CONFIG"