diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e552ea06fe..641aeb12bb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -86,6 +86,9 @@ jobs:
     needs: [checks, unit-tests]
     outputs:
       release-url: ${{ steps.release-notes.outputs.release-url }}
+    permissions:
+      contents: write # for lucacome/draft-release and goreleaser/goreleaser-action to manage releases
+      id-token: write # for goreleaser/goreleaser-action to sign artifacts
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -99,7 +102,11 @@ jobs:
 
       - name: Download Syft
         uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
-        if: startsWith(github.ref, 'refs/tags/')
+        if: github.ref_type == 'tag'
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        if: github.ref_type == 'tag'
 
       - name: Create/Update Draft
         uses: lucacome/draft-release@d13ccde6350706e32f451566ee5cd4bf5a27de3d # v0.2.1
diff --git a/.goreleaser.yml b/.goreleaser.yml
index eaac2c88bd..a6ec72e2fe 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -117,6 +117,18 @@ blobs:
     extra_files:
       - glob: ./dist/**.spdx.json
 
+signs:
+  - cmd: cosign
+    artifacts: checksum
+    output: true
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - "--output-signature=${signature}"
+      - "--output-certificate=${certificate}"
+      - "${artifact}"
+      - "--yes"
+
 announce:
   slack:
     enabled: true