Several package types support signing, for example, UEFI kernel images and Android packages. Signing requires a private key during the build. While the private key has to remain secret, the signed result itself could be public.
In this case, the private key is needed during the build, which is a different use case than the key distribution feature of NixOps, which is intended for keys used during the runtime. If I understood correctly, currently nixpkgs builds do not sign kernel images, for example.
Is there a way to produce signed binaries using Nix?