diff --git a/internal/controllers/container_reconciler_loop.go b/internal/controllers/container_reconciler_loop.go
index d69583de2..ea66f6699 100644
--- a/internal/controllers/container_reconciler_loop.go
+++ b/internal/controllers/container_reconciler_loop.go
@@ -3715,6 +3715,8 @@ func (r *containerReconcilerLoop) updateNodeAnnotations(ctx context.Context) err
 	}
 	newDrivesStr, _ := json.Marshal(updatedDrivesList)
 	node.Annotations["weka.io/weka-drives"] = string(newDrivesStr)
+	// calculate hash, based on o.node.Status.NodeInfo.BootID
+	node.Annotations["weka.io/sign-drives-hash"] = domain.CalculateNodeDriveSignHash(node)
 
 	// Update weka.io/drives extended resource
 	blockedDrives := []string{}
diff --git a/internal/controllers/operations/sign_drives.go b/internal/controllers/operations/sign_drives.go
index b1495fc74..44b00d129 100644
--- a/internal/controllers/operations/sign_drives.go
+++ b/internal/controllers/operations/sign_drives.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/weka/weka-operator/internal/pkg/domain"
 	"strings"
 	"time"
 
@@ -155,9 +156,9 @@ func (o *SignDrivesOperation) EnsureContainers(ctx context.Context) error {
 		}
 
 		// if data exists and not force - skip
-		// TODO: Does it work? repeat runs do create repeate wekacontainers, so sounds like this check is broken
 		if !o.force {
-			if node.Annotations["weka.io/weka-drives"] != "" {
+			targetHash := domain.CalculateNodeDriveSignHash(&node)
+			if node.Annotations["weka.io/sign-drives-hash"] == targetHash {
 				skip += 1
 				continue
 			}
diff --git a/internal/pkg/domain/hashs.go b/internal/pkg/domain/hashs.go
new file mode 100644
index 000000000..cc91c9e82
--- /dev/null
+++ b/internal/pkg/domain/hashs.go
@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"crypto/sha256"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func CalculateNodeDriveSignHash(node *corev1.Node) string {
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(node.Status.NodeInfo.BootID)))
+}