diff --git a/macros.in b/macros.in
index db5617d032..33335d5b01 100644
--- a/macros.in
+++ b/macros.in
@@ -614,25 +614,24 @@ Supplements:   (%{name} = %{version}-%{release} and langpacks-%{1})\
 #==============================================================================
 # ---- OpenPGP signature macros.
 #	Macro(s) to hold the arguments passed to the cmd implementing package
-#	signing.  Expansion result is parsed by popt, so be sure to use
+#	signing. Input path passed as the first argument, output as second.
+#	Expansion result is parsed by popt, so be sure to use
 #	%{shescape} where needed.
 #
 %__gpg			@__GPG@
-%__gpg_sign_cmd			%{shescape:%{__gpg}} \
+%__gpg_sign_cmd()	%{shescape:%{__gpg}} \
 	--no-verbose --no-armor --no-secmem-warning \
 	%{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \
 	%{?_gpg_sign_cmd_extra_args} \
 	%{?_openpgp_sign_id:-u %{shescape:%{_openpgp_sign_id}}} \
-	-sbo %{shescape:%{?__signature_filename}} \
-	%{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}}
+	-sbo %{shescape:%{2}} -- %{shescape:%{1}}
 
 %__sq @__SQ@
-%__sq_sign_cmd		%{shescape:%{__sq}} \
+%__sq_sign_cmd()	%{shescape:%{__sq}} \
 	sign \
         %{?_openpgp_sign_id:--signer-key %{_openpgp_sign_id}} \
 	%{?_sq_sign_cmd_extra_args} \
-        --detached --output %{shescape:%{?__signature_filename}} \
-        %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}}
+        --detached --output %{shescape:%{2}} -- %{shescape:%{1}}
 
 %__openpgp_sign_path %{expand:%{__%{_openpgp_sign}}}
 %__openpgp_sign_cmd %{expand:%{__%{_openpgp_sign}_sign_cmd}}
diff --git a/sign/rpmgensig.cc b/sign/rpmgensig.cc
index ad3cf38234..bb66af9755 100644
--- a/sign/rpmgensig.cc
+++ b/sign/rpmgensig.cc
@@ -29,6 +29,7 @@
 
 #include "rpmlead.hh"
 #include "signature.hh"
+#include "rpmmacro_internal.hh"
 #include "rpmvs.hh"
 
 #include "debug.h"
@@ -192,22 +193,22 @@ static char ** signCmd(const char *sigfile)
 {
     int argc = 0;
     char **argv = NULL;
+    auto mctx = rpm::macros();
+    auto [ ign, name ] = mctx.expand({"__", "%{_openpgp_sign}", "_sign_cmd"});
+    const char * const margs[] = { "-", sigfile, NULL };
 
-    rpmPushMacro(NULL, "__plaintext_filename", NULL, "-", -1);
-    rpmPushMacro(NULL, "__signature_filename", NULL, sigfile, -1);
-
-    char *cmd = rpmExpand("%{?__openpgp_sign_cmd}", NULL);
-
-    rpmPopMacro(NULL, "__plaintext_filename");
-    rpmPopMacro(NULL, "__signature_filename");
+    auto [ rc, cmd ] = mctx.expand_this(name, (ARGV_const_t)margs, 0);
+    if (rc) {
+	rpmlog(RPMLOG_ERR, _("Expanding signing macro %s failed\n"),
+		name.c_str());
+	return NULL;
+    }
 
-    if (poptParseArgvString(cmd, &argc, (const char ***)&argv) < 0 || argc < 2) {
-	rpmlog(RPMLOG_ERR, _("Invalid sign command: %s\n"), cmd);
+    if (poptParseArgvString(cmd.c_str(), &argc, (const char ***)&argv) < 0 || argc < 2) {
+	rpmlog(RPMLOG_ERR, _("Invalid sign command: %s\n"), cmd.c_str());
 	argv = _free(argv);
     }
 
-    free(cmd);
-
     return argv;
 }