diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eedf2ec..b3648ce 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,6 +25,8 @@ jobs:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@59acb623e2b6991341b1d1e8a7001d2d622ca219 # v3.5.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index d5b1f58..de79af9 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -53,3 +53,14 @@ release:
     name: structalign
   draft: false
   prerelease: auto
+
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sigstore.json"
+    args:
+      - "sign-blob"
+      - "--bundle=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+