diff --git a/build_image.sh b/build_image.sh
index ea276367eb51..95e4ef133f76 100755
--- a/build_image.sh
+++ b/build_image.sh
@@ -86,7 +86,7 @@ generate_onie_installer_image()
     ## Note: Don't leave blank between lines. It is single line command.
     ./onie-mk-demo.sh $CONFIGURED_ARCH $TARGET_MACHINE $TARGET_PLATFORM-$TARGET_MACHINE-$ONIEIMAGE_VERSION \
           installer platform/$TARGET_MACHINE/platform.conf $output_file OS $IMAGE_VERSION $ONIE_IMAGE_PART_SIZE \
-          $ONIE_INSTALLER_PAYLOAD
+          $ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_SIGNING_CERT $SECURE_UPGRADE_DEV_SIGNING_KEY
 }
 
 # Generate asic-specific device list
diff --git a/installer/sharch_body.sh b/installer/sharch_body.sh
index e6289371cd58..9683b4692dca 100644
--- a/installer/sharch_body.sh
+++ b/installer/sharch_body.sh
@@ -11,7 +11,9 @@
 ##
 
 echo -n "Verifying image checksum ..."
-sha1=$(sed -e '1,/^exit_marker$/d' "$0" | sha1sum | awk '{ print $1 }')
+payload_image_size=%%PAYLOAD_IMAGE_SIZE%%
+
+sha1=$(sed -e '1,/^exit_marker$/d' "$0" | head -c $payload_image_size | sha1sum | awk '{ print $1 }')
 
 payload_sha1=%%IMAGE_SHA1%%
 
@@ -45,7 +47,9 @@ if [ "$(id -u)" = "0" ] ; then
 fi
 cd $tmp_dir
 echo -n "Preparing image archive ..."
-sed -e '1,/^exit_marker$/d' $archive_path | tar xf - || exit 1
+
+sed -e '1,/^exit_marker$/d' $archive_path | head -c $payload_image_size | tar xf - || exit 1
+
 echo " OK."
 cd $cur_wd
 if [ -n "$extract" ] ; then
diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh
index 0905673d42cb..b466441ca31b 100755
--- a/onie-mk-demo.sh
+++ b/onie-mk-demo.sh
@@ -14,6 +14,9 @@ output_file=$6
 demo_type=$7
 image_version=$8
 onie_image_part_size=$9
+onie_installer_payload=${10}
+cert_file=${11}
+key_file=${12}
 
 shift 9
 
@@ -100,7 +103,7 @@ sed -i -e "s/%%DEMO_TYPE%%/$demo_type/g" \
        -e "s@%%OUTPUT_RAW_IMAGE%%@$output_raw_image@" \
     $tmp_installdir/install.sh || clean_up 1
 echo -n "."
-cp -r $* $tmp_installdir || clean_up 1
+cp -r $onie_installer_payload $tmp_installdir || clean_up 1
 echo -n "."
 [ -r "$platform_conf" ] && {
     cp $platform_conf $tmp_installdir || clean_up 1
@@ -130,7 +133,50 @@ cp $installer_dir/sharch_body.sh $output_file || {
 # Replace variables in the sharch template
 sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file
 echo -n "."
+tar_size="$(wc -c < "${sharch}")"
+sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file}
 cat $sharch >> $output_file
+echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \
+SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_SIGNING_CERT = $SECURE_UPGRADE_SIGNING_CERT"
+
+if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then
+    CMS_SIG="${tmp_dir}/signature.sig"
+    DIR="$(dirname "$0")"
+    scripts_dir="${DIR}/scripts"
+    echo "$0 $SECURE_UPGRADE_MODE signing - creating CMS signature for ${output_file}. Output file ${CMS_SIG}"
+
+    if [ "$SECURE_UPGRADE_MODE" = "dev" ]; then
+        echo "$0 dev keyfile location: ${key_file}."
+        [ -f ${scripts_dir}/sign_image_dev.sh ] || {
+            echo "dev sign script ${scripts_dir}/sign_image_dev.sh not found"
+            rm -rf ${output_file}
+        }
+        (${scripts_dir}/sign_image_dev.sh ${cert_file} ${key_file} ${output_file} ${CMS_SIG}) || {
+            echo "CMS sign error $?"
+            rm -rf ${CMS_SIG} ${output_file}
+        }
+    else # "$SECURE_UPGRADE_MODE" has to be equal to "prod"
+        [ -f ${scripts_dir}/sign_image_${machine}.sh ] || {
+            echo "prod sign script ${scripts_dir}/sign_image_${machine}.sh not found"
+            rm -rf ${output_file}
+        }
+        (${scripts_dir}/sign_image_${machine}.sh ${output_file} ${CMS_SIG} ${SECURE_UPGRADE_MODE}) || {
+            echo "CMS sign error $?"
+            rm -rf ${CMS_SIG} ${output_file}
+        }
+    fi
+    
+    [ -f "$CMS_SIG" ] || {
+         echo "Error: CMS signature not created - exiting without signing"
+         clean_up 1
+    }
+    # append signature to binary
+    cat ${CMS_SIG} >> ${output_file}
+    sudo rm -rf ${CMS_SIG}
+elif [ "$SECURE_UPGRADE_MODE" -ne "no_sign" ]; then
+    echo "SECURE_UPGRADE_MODE not defined or defined as $SECURE_UPGRADE_MODE - build without signing"
+fi
+
 rm -rf $tmp_dir
 echo " Done."
 
diff --git a/scripts/sign_image_dev.sh b/scripts/sign_image_dev.sh
new file mode 100755
index 000000000000..668672f49378
--- /dev/null
+++ b/scripts/sign_image_dev.sh
@@ -0,0 +1,11 @@
+cert_file=$1
+key_file=$2
+image_to_sign=$3
+cms_sig_out=$4
+openssl cms -sign -nosmimecap -signer ${cert_file} -inkey ${key_file} -binary -in $image_to_sign -outform pem -out ${cms_sig_out} || {
+    echo "$?: CMS sign error"
+    sudo rm -rf ${cms_sig_out}
+    exit 1
+}
+echo "CMS sign OK"
+exit 0