diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bf25e3830a..43af980273 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -98,6 +98,7 @@ jobs:
     needs: [vars, unit-tests, njs-unit-tests]
     permissions:
       contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases
+      id-token: write # for goreleaser/goreleaser-action to sign artifacts
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -125,6 +126,10 @@ jobs:
         uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
         if: startsWith(github.ref, 'refs/tags/')
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        if: startsWith(github.ref, 'refs/tags/')
+
       - name: Build binary
         uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
         with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 81db615838..c494cc0a5a 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -32,6 +32,18 @@ blobs:
   - provider: azblob
     bucket: '{{.Env.AZURE_BUCKET_NAME}}'
 
+signs:
+  - cmd: cosign
+    artifacts: checksum
+    output: true
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - "--output-signature=${signature}"
+      - "--output-certificate=${certificate}"
+      - "${artifact}"
+      - "--yes"
+
 announce:
   slack:
     enabled: true