diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2332d9039..65e5f94d3 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -94,6 +94,8 @@ jobs:
     permissions:
       contents: write
       packages: write
+      # required for goreleaser signs section with cosign
+      id-token: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 9f138f3d3..762d87d3e 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -259,3 +259,16 @@ sboms:
       - "$artifact"
       - "--output"
       - "json=$document"
+
+signs:
+  - cmd: .tool/cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args:
+      - "sign-blob"
+      - "--oidc-issuer=https://token.actions.githubusercontent.com"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum