diff --git a/scripts/tag-and-push.sh b/scripts/tag-and-push.sh
index eaba43fe..94c4ffc1 100755
--- a/scripts/tag-and-push.sh
+++ b/scripts/tag-and-push.sh
@@ -9,6 +9,25 @@ if git rev-parse "$tag" >/dev/null 2>&1; then
   exit 0
 fi
 
-echo "Creating and pushing tag: $tag"
-git tag -a "$tag" -m "CRE CLI $tag"
-git push origin "$tag"
+sha=$(git rev-parse HEAD)
+repo="${GITHUB_REPOSITORY}"
+
+echo "Creating signed tag: $tag (pointing to $sha)"
+
+# Create an annotated tag object via the GitHub API.
+# Tags created server-side are signed by GitHub and display as "Verified".
+tag_sha=$(gh api "repos/${repo}/git/tags" \
+  --method POST \
+  -f tag="$tag" \
+  -f message="CRE CLI $tag" \
+  -f object="$sha" \
+  -f type="commit" \
+  --jq '.sha')
+
+# Create the ref pointing to the tag object
+gh api "repos/${repo}/git/refs" \
+  --method POST \
+  -f ref="refs/tags/$tag" \
+  -f sha="$tag_sha"
+
+echo "Tag $tag created and verified."