diff --git a/cmd/build.go b/cmd/build.go
index 938411c275..0653a572b1 100644
--- a/cmd/build.go
+++ b/cmd/build.go
@@ -261,7 +261,10 @@ func dobuild(params buildParams, args []string) error {
 		return err
 	}
 
-	bsc := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	bsc, err := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	if err != nil {
+		return err
+	}
 
 	if bvc != nil || bsc != nil {
 		if !params.bundleMode {
@@ -346,10 +349,12 @@ func buildVerificationConfig(pubKey, pubKeyID, alg, scope string, excludeFiles [
 	return bundle.NewVerificationConfig(map[string]*keys.Config{pubKeyID: keyConfig}, pubKeyID, scope, excludeFiles), nil
 }
 
-func buildSigningConfig(key, alg, claimsFile, plugin string) *bundle.SigningConfig {
+func buildSigningConfig(key, alg, claimsFile, plugin string) (*bundle.SigningConfig, error) {
+	if key == "" && (plugin != "" || claimsFile != "" || alg != "") {
+		return nil, fmt.Errorf("specify the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)")
+	}
 	if key == "" {
-		return nil
+		return nil, nil
 	}
-
-	return bundle.NewSigningConfig(key, alg, claimsFile).WithPlugin(plugin)
+	return bundle.NewSigningConfig(key, alg, claimsFile).WithPlugin(plugin), nil
 }
diff --git a/cmd/sign.go b/cmd/sign.go
index 1ab51503a9..e1db23d7b0 100644
--- a/cmd/sign.go
+++ b/cmd/sign.go
@@ -169,7 +169,10 @@ func doSign(args []string, params signCmdParams) error {
 		return err
 	}
 
-	signingConfig := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	signingConfig, err := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	if err != nil {
+		return err
+	}
 
 	token, err := bundle.GenerateSignedToken(files, signingConfig, "")
 	if err != nil {
diff --git a/cmd/sign_test.go b/cmd/sign_test.go
index 4228315fe7..f2dcc666df 100644
--- a/cmd/sign_test.go
+++ b/cmd/sign_test.go
@@ -146,6 +146,11 @@ func TestValidateSignParams(t *testing.T) {
 			newSignCmdParams(),
 			true, fmt.Errorf("specify the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)"),
 		},
+		"empty_signing_key": {
+			[]string{"foo"},
+			signCmdParams{key: "", bundleMode: true},
+			true, fmt.Errorf("specify the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)"),
+		},
 		"non_bundle_mode": {
 			[]string{"foo"},
 			signCmdParams{key: "foo"},