diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 4b22c09..d07e084 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -31,6 +31,7 @@ jobs:
       contents: write
       packages: write
       id-token: write
+      attestations: write
     steps:
 
       - name: Checkout
@@ -38,11 +39,14 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up Go
+      - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.8.1
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index baa54f6..e660f3b 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -74,6 +74,13 @@ docker_manifests:
       - ghcr.io/firebolt-db/mcp-server:{{ .Version }}-amd64
       - ghcr.io/firebolt-db/mcp-server:{{ .Version }}-arm64v8
 
+docker_signs:
+  - artifacts: all
+    args:
+      - "sign"
+      - "${artifact}@${digest}"
+      - "--yes"
+
 release:
   replace_existing_artifacts: true
   mode: keep-existing