diff --git a/.github/workflows/acceptance-test.yaml b/.github/workflows/acceptance-test.yaml
index 63ffbc672..d06a6f78d 100644
--- a/.github/workflows/acceptance-test.yaml
+++ b/.github/workflows/acceptance-test.yaml
@@ -42,8 +42,25 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         run: make ci-bootstrap
 
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v2
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
+          PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
+
+      - name: GPG signing info
+        run: |
+          echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
+          echo "keyid:       ${{ steps.import_gpg.outputs.keyid }}"
+          echo "name:        ${{ steps.import_gpg.outputs.name }}"
+          echo "email:       ${{ steps.import_gpg.outputs.email }}"
+
       - name: Build snapshot artifacts
         run: make snapshot
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
+          PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
 
       - uses: actions/upload-artifact@v2
         with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 05f790fcf..c86e3bab2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -91,10 +91,26 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         run: make ci-bootstrap
 
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v2
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
+          PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
+
+      - name: GPG signing info
+        run: |
+          echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
+          echo "keyid:       ${{ steps.import_gpg.outputs.keyid }}"
+          echo "name:        ${{ steps.import_gpg.outputs.name }}"
+          echo "email:       ${{ steps.import_gpg.outputs.email }}"
+
       - name: Build & publish release artifacts
         run: make release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
+          PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
 
       - uses: actions/upload-artifact@v2
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 1a82a8945..4e384ab40 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -4,6 +4,10 @@ release:
   # If set to true, will mark the release as not ready for production.
   prerelease: auto
 
+signs:
+  - artifacts: checksum
+    args: ["--output", "${signature}", "--detach-sign", "${artifact}"]
+
 builds:
   - binary: syft
     env:
diff --git a/Makefile b/Makefile
index 255543f71..00fa85ae4 100644
--- a/Makefile
+++ b/Makefile
@@ -159,6 +159,9 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages
 	BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
 	$(TEMPDIR)/goreleaser release --skip-publish --rm-dist --snapshot --config $(TEMPDIR)/goreleaser.yaml
 
+	# verify checksum signatures
+	gpg --verify $(SNAPSHOTDIR)/*checksums.txt.sig $(SNAPSHOTDIR)/*checksums.txt
+
 .PHONY: acceptance-mac
 acceptance-mac: $(SNAPSHOTDIR) ## Run acceptance tests on build snapshot binaries and packages (Mac)
 	$(call title,Running acceptance test: Run on Mac)
@@ -201,6 +204,9 @@ release: clean-dist ## Build and publish final binaries and packages
 	BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
 	$(TEMPDIR)/goreleaser --rm-dist --config $(TEMPDIR)/goreleaser.yaml
 
+	# verify checksum signatures
+	gpg --verify $(DISTDIR)/*checksums.txt.sig $(DISTDIR)/*checksums.txt
+
 	# create a version file for version-update checks
 	echo "$(VERSION)" > $(DISTDIR)/VERSION
 	# TODO: add upload to bucket