diff --git a/dot_config/private_jj/config.toml.tmpl b/dot_config/private_jj/config.toml.tmpl
index d6afe5ad55140ca38eb9247438ec94b211e765b9..271347199ba3a654a7b1aaf63c0120c6bebd5627 100644
--- a/dot_config/private_jj/config.toml.tmpl
+++ b/dot_config/private_jj/config.toml.tmpl
@@ -11,18 +11,57 @@ show-cryptographic-signatures = true
 [signing]
 backend = "ssh"
 {{- if ne .chezmoi.username "exedev" }}
-behavior = "own"
+behavior = "drop"
 {{- end }}
-
-[signing.backends.ssh]
 {{- if eq .chezmoi.hostname "angmar" }}
-key = "~/.ssh/yk-stationary.pub"
+key = "{{ .chezmoi.homeDir }}/.ssh/yk-stationary.pub"
 {{- else }}
-key = "~/.ssh/yk-mobile.pub"
+key = "{{ .chezmoi.homeDir }}/.ssh/yk-mobile.pub"
 {{- end }}
+
+[signing.backends.ssh]
 allowed-signers = "/home/amolith/.ssh/allowed_signers"
 
 [git]
 {{- if ne .chezmoi.username "exedev" }}
-sign-on-push = true
+# Keep built-in push signing off so jj doesn't sign commits authored by others.
+sign-on-push = false
+{{- end }}
+
+[aliases]
+{{- if ne .chezmoi.username "exedev" }}
+# Use `jj push` (this alias), not `jj git push`.
+# It signs only our own mutable unsigned commits in the push range, then pushes.
+push = ["util", "exec", "--", "bash", "-c", """
+set -euo pipefail
+
+remote=""
+args=("$@")
+i=0
+while [ "$i" -lt "$#" ]; do
+  arg="${args[$i]}"
+  case "$arg" in
+    --remote=*)
+      remote="${arg#--remote=}"
+      ;;
+    --remote)
+      i=$((i + 1))
+      if [ "$i" -lt "$#" ]; then
+        remote="${args[$i]}"
+      fi
+      ;;
+  esac
+  i=$((i + 1))
+done
+
+if [ -z "$remote" ]; then
+  remote="$(jj config get git.push 2>/dev/null || true)"
+fi
+if [ -z "$remote" ]; then
+  remote="origin"
+fi
+
+jj sign -r "mine() & mutable() & ~signed() & (remote_bookmarks(remote=${remote})..@)"
+jj git push "$@"
+""", ""]
 {{- end }}