diff --git a/qubes-rpc/Makefile b/qubes-rpc/Makefile
index b16e2592..7308f7aa 100644
--- a/qubes-rpc/Makefile
+++ b/qubes-rpc/Makefile
@@ -78,7 +78,8 @@ install:
 		qubes.ShowInTerminal \
 		qubes.ConnectTCP \
 		qubes.TemplateSearch \
-		qubes.TemplateDownload
+		qubes.TemplateDownload \
+		qubes.PESign
 	$(LN) qubes.VMExec $(DESTDIR)$(QUBESRPCCMDDIR)/qubes.VMExecGUI
 	for config in *.config; do \
 		install -D -m 0644 "$$config" "$(DESTDIR)$(QUBESRPCCONFDIR)/$${config%.config}"; \
diff --git a/qubes-rpc/qubes.PESign b/qubes-rpc/qubes.PESign
new file mode 100755
index 00000000..f58676de
--- /dev/null
+++ b/qubes-rpc/qubes.PESign
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -x -e -o pipefail
+
+CERTIFICATE="$1"
+[[ -z "$CERTIFICATE" ]] && { echo "Please provide certificate name"; exit 1; };
+
+PAYLOAD_DIR="$(mktemp -d)"
+
+cleanup() {
+    local payload_dir="$1"
+    if [ -n "${payload_dir}" ]; then
+        rm -rf "${payload_dir}"
+    fi
+}
+
+trap "cleanup ${PAYLOAD_DIR}" EXIT
+
+payload="${PAYLOAD_DIR}/payload"
+
+# Limit stdin size
+head --bytes=100MB > "$payload"
+
+# We don't allow payload being at least 100MB
+actual_size="$(wc -c < "$payload")"
+if [ "$actual_size" -eq $((100 * 1024 * 1024)) ]; then
+    echo "Input size is at least 100MB. Aborting."
+    exit 1
+fi
+
+pesign -s -c "${CERTIFICATE//__/ }" -i "$payload" -o "$payload".signed
+
+cat "$payload".signed