diff --git a/config/feature_flags/gitlab_com_derisk/strip_signature_from_ci_commit_tag_message.yml b/config/feature_flags/gitlab_com_derisk/strip_signature_from_ci_commit_tag_message.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e4782245cce42163e56234938a7bd02adc301d90
--- /dev/null
+++ b/config/feature_flags/gitlab_com_derisk/strip_signature_from_ci_commit_tag_message.yml
@@ -0,0 +1,10 @@
+---
+name: strip_signature_from_ci_commit_tag_message
+description:
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/583219
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/215579
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/583733
+milestone: '18.8'
+group: group::pipeline authoring
+type: gitlab_com_derisk
+default_enabled: false
diff --git a/lib/gitlab/ci/variables/builder/pipeline.rb b/lib/gitlab/ci/variables/builder/pipeline.rb
index d25c1a020d5e24bdc8ea7da6945eb466f4f1f2fd..01f49429825a7189d473b27c423c95ae8f317f9b 100644
--- a/lib/gitlab/ci/variables/builder/pipeline.rb
+++ b/lib/gitlab/ci/variables/builder/pipeline.rb
@@ -6,6 +6,7 @@ module Variables
       class Builder
         class Pipeline
           include Gitlab::Utils::StrongMemoize
+          include GitHelper
 
           MAX_COMMIT_MESSAGE_SIZE_IN_BYTES = ENV.fetch('GITLAB_CI_MAX_COMMIT_MESSAGE_SIZE_IN_BYTES', 100_000)
                                                 .to_i
@@ -83,7 +84,12 @@ def predefined_commit_tag_variables
               next variables unless git_tag
 
               variables.append(key: 'CI_COMMIT_TAG', value: pipeline.ref)
-              variables.append(key: 'CI_COMMIT_TAG_MESSAGE', value: git_tag.message)
+
+              if Feature.enabled?(:strip_signature_from_ci_commit_tag_message, pipeline.project)
+                variables.append(key: 'CI_COMMIT_TAG_MESSAGE', value: strip_signature(git_tag.message))
+              else
+                variables.append(key: 'CI_COMMIT_TAG_MESSAGE', value: git_tag.message)
+              end
             end
           end
           strong_memoize_attr :predefined_commit_tag_variables
diff --git a/spec/lib/gitlab/ci/variables/builder/pipeline_spec.rb b/spec/lib/gitlab/ci/variables/builder/pipeline_spec.rb
index c450f9d3df962767ab7ed5f4302e9db2d74d9a38..c98e164913bc3be7c45dd6a44c77ff4cbd4ce372 100644
--- a/spec/lib/gitlab/ci/variables/builder/pipeline_spec.rb
+++ b/spec/lib/gitlab/ci/variables/builder/pipeline_spec.rb
@@ -178,6 +178,41 @@
       end
     end
 
+    context 'when tag has an SSH signature' do
+      let(:tag_name) { 'v1.0.0' }
+      let(:tag_message_with_signature) do
+        <<~MESSAGE
+        Version 1.0.0
+        -----BEGIN SSH SIGNATURE-----
+
+        iQEzB...
+        -----END SSH SIGNATURE-----
+        MESSAGE
+      end
+
+      let(:pipeline) { build(:ci_empty_pipeline, :created, project: project, ref: tag_name, tag: true) }
+
+      before do
+        allow(project.repository).to receive(:find_tag).with(tag_name).and_return(
+          instance_double(Gitlab::Git::Tag, message: tag_message_with_signature)
+        )
+      end
+
+      it 'sanitizes SSH signature from CI_COMMIT_TAG_MESSAGE' do
+        expect(subject.to_hash['CI_COMMIT_TAG_MESSAGE']).to eq("Version 1.0.0\n\n")
+      end
+
+      context 'when "strip_signature_from_ci_commit_tag_message" FF is disabled' do
+        before do
+          stub_feature_flags(strip_signature_from_ci_commit_tag_message: false)
+        end
+
+        it 'returns signature in the message' do
+          expect(subject.to_hash['CI_COMMIT_TAG_MESSAGE']).to eq(tag_message_with_signature)
+        end
+      end
+    end
+
     context 'when merge request is present' do
       let_it_be(:assignees) { create_list(:user, 2) }
       let_it_be(:milestone) { create(:milestone, project: project) }