--- a/taskcluster/ci/repackage-signing/kind.yml
+++ b/taskcluster/ci/repackage-signing/kind.yml
@@ -21,8 +21,28 @@ only-for-build-platforms:
    - linux64-nightly/opt
    - linux64-devedition-nightly/opt
    - macosx64-nightly/opt
    - macosx64-devedition-nightly/opt
    - win32-nightly/opt
    - win32-devedition-nightly/opt
    - win64-nightly/opt
    - win64-devedition-nightly/opt
+
+job-template:
+   signing-cert:
+      by-product:
+         devedition:
+            by-project:
+               mozilla-beta: nightly
+               maple: nightly
+               default: dep
+         firefox:
+            by-project:
+               oak: nightly
+               mozilla-central: nightly
+               birch: release
+               maple: release
+               mozilla-beta: release
+               mozilla-release: release
+               mozilla-esr60: release
+               default: dep
+         default: dep

--- a/taskcluster/taskgraph/transforms/repackage_signing.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing.py
@@ -4,34 +4,40 @@
 """
 Transform the repackage signing task into an actual task description.
 """
 
 from __future__ import absolute_import, print_function, unicode_literals
 
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job
-from taskgraph.util.schema import validate_schema, Schema
+from taskgraph.util.schema import (
+    Schema,
+    optionally_keyed_by,
+    resolve_keyed_by,
+    validate_schema,
+)
 from taskgraph.util.scriptworker import (
     add_scope_prefix,
-    get_signing_cert_scope_per_platform,
+    get_signing_cert_scope_from_task,
     get_worker_type_for_scope,
 )
 from taskgraph.transforms.task import task_description_schema
 from voluptuous import Required, Optional
 
 # Voluptuous uses marker objects as dictionary *keys*, but they are not
 # comparable, so we cast all of the keys back to regular strings
 task_description_schema = {str(k): v for k, v in task_description_schema.schema.iteritems()}
 
 transforms = TransformSequence()
 
 repackage_signing_description_schema = Schema({
     Required('dependent-task'): object,
     Required('depname', default='repackage'): basestring,
+    Required('signing-cert'): optionally_keyed_by('product', 'project', basestring),
     Optional('label'): basestring,
     Optional('treeherder'): task_description_schema['treeherder'],
     Optional('shipping-product'): task_description_schema['shipping-product'],
     Optional('shipping-phase'): task_description_schema['shipping-phase'],
 })
 
 
 @transforms.add
@@ -82,18 +88,18 @@ def make_repackage_signing_description(c
         locale_str = ""
         if dep_job.attributes.get('locale'):
             treeherder['symbol'] = 'rs({})'.format(dep_job.attributes.get('locale'))
             attributes['locale'] = dep_job.attributes.get('locale')
             locale_str = "{}/".format(dep_job.attributes.get('locale'))
 
         build_platform = dep_job.attributes.get('build_platform')
         is_nightly = dep_job.attributes.get('nightly')
-        signing_cert_scope = get_signing_cert_scope_per_platform(
-            build_platform, is_nightly, config
+        signing_cert_scope = get_signing_cert_scope_from_task(
+            config, task=job, product=job.get('shipping-product')
         )
         scopes = [signing_cert_scope, add_scope_prefix(config, 'signing:format:mar_sha384')]
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<repackage>"},
             "taskType": "repackage",
             "paths": [
                 "public/build/{}target.complete.mar".format(locale_str),

--- a/taskcluster/taskgraph/util/scriptworker.py
+++ b/taskcluster/taskgraph/util/scriptworker.py
@@ -15,16 +15,18 @@ happen on mozilla-beta and mozilla-relea
 
 Additional configuration is found in the :ref:`graph config <taskgraph-graph-config>`.
 """
 from __future__ import absolute_import, print_function, unicode_literals
 import functools
 import json
 import os
 
+from taskgraph.util.schema import resolve_keyed_by
+
 
 # constants {{{1
 """Map signing scope aliases to sets of projects.
 
 Currently m-c and DevEdition on m-b use nightly signing; Beta on m-b and m-r
 use release signing. These data structures aren't set-up to handle different
 scopes on the same repo, so we use a different set of them for DevEdition, and
 callers are responsible for using the correct one (by calling the appropriate
@@ -354,16 +356,36 @@ def get_phase_from_target_method(config,
 
 
 @with_scope_prefix
 def get_balrog_action_scope(config, action='submit'):
     assert action in BALROG_ACTIONS
     return "balrog:action:{}".format(action)
 
 
+@with_scope_prefix
+def get_signing_cert_scope_from_task(config, task=None, **kwargs):
+    """Get the release signing cert scope from task['signing-cert']"""
+    resolve_kwargs = dict(**config.params)
+    if kwargs:
+        resolve_kwargs.update(kwargs)
+    resolve_keyed_by(
+        task, 'signing-cert',
+        task.get('label', task.get('name', task.get('description'))),
+        **resolve_kwargs
+    )
+    cert = {
+        'release': 'signing:cert:release-signing',
+        'nightly': 'signing:cert:nightly-signing',
+    }.get(task['signing-cert'], 'signing:cert:dep-signing')
+    del(task['signing-cert'])
+    return cert
+
+
+
 get_signing_cert_scope = functools.partial(
     get_scope_from_project,
     alias_to_project_map=SIGNING_SCOPE_ALIAS_TO_PROJECT,
     alias_to_scope_map=SIGNING_CERT_SCOPES,
 )
 
 get_devedition_signing_cert_scope = functools.partial(
     get_scope_from_project,