diff --git a/scripts/publish-banger-release.sh b/scripts/publish-banger-release.sh
index dd468bd..89610b4 100755
--- a/scripts/publish-banger-release.sh
+++ b/scripts/publish-banger-release.sh
@@ -112,8 +112,12 @@ log "cosign sign-blob → SHA256SUMS.sig"
 #                               via crypto/ecdsa.VerifyASN1.
 # These flags also work on cosign v2.x, so the script is forward- and
 # backward-compatible across the v2→v3 boundary.
-COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
-    cosign sign-blob --yes \
+# If COSIGN_PASSWORD is set in the environment, cosign uses it.
+# Otherwise cosign prompts on the terminal — which is what we want
+# for a password-protected offline key. Don't pre-set it to empty:
+# that suppresses the prompt and makes cosign try to decrypt with
+# the empty password, failing with "decryption failed".
+cosign sign-blob --yes \
     --key "$COSIGN_KEY" \
     --use-signing-config=false \
     --tlog-upload=false \