diff --git a/script/sign b/script/sign
index f07a7d2d46e..00a4a23d48f 100755
--- a/script/sign
+++ b/script/sign
@@ -2,19 +2,34 @@
 # usage: script/sign <file>
 #
 # Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool
-#
+
 set -e
 
-sign_macos() {
-  if [[ -z "$APPLE_DEVELOPER_ID" ]]; then
-    echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
-    return 0
+required_env_vars=("APPLE_DEVELOPER_ID" "APPLE_ID" "APPLE_ID_PASSWORD")
+
+check_env_vars() {
+  local missing=()
+  for var in "${required_env_vars[@]}"; do
+    if [[ -z "${!var}" ]]; then
+      missing+=("$var")
+    fi
+  done
+  if (( ${#missing[@]} )); then
+    echo "Error: Missing required environment variables: ${missing[*]}" >&2
+    exit 1
   fi
+}
 
-  if [[ $1 == *.zip ]]; then
-    xcrun notarytool submit "$1" --apple-id "${APPLE_ID?}" --team-id "${APPLE_DEVELOPER_ID?}" --password "${APPLE_ID_PASSWORD?}"
+sign_macos() {
+  local input_file="$1"
+  if [[ $input_file == *.zip ]]; then
+    xcrun notarytool submit "$input_file" \
+      --apple-id "${APPLE_ID}" \
+      --team-id "${APPLE_DEVELOPER_ID}" \
+      --password "${APPLE_ID_PASSWORD}"
   else
-    codesign --timestamp --options=runtime -s "${APPLE_DEVELOPER_ID?}" -v "$1"
+    codesign --timestamp --options=runtime \
+      -s "${APPLE_DEVELOPER_ID}" -v "$input_file"
   fi
 }
 
@@ -29,6 +44,8 @@ if [[ $platform != "Darwin" ]]; then
   exit 1
 fi
 
-for input_file; do
+check_env_vars
+
+for input_file in "$@"; do
   sign_macos "$input_file"
 done