diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go
index 0b5d4e2b193..c5ebcd1683b 100644
--- a/cmd/cosign/cli/sign.go
+++ b/cmd/cosign/cli/sign.go
@@ -32,7 +32,11 @@ func Sign() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "sign",
 		Short: "Sign the supplied container image.",
-		Long:  "Sign the supplied container image.",
+		Long: `Sign the supplied container image.
+
+Images should be specified by digest (example.com/image@sha256:abcdef...) rather
+than tag (example.com/image:latest).
+`,
 		Example: `  cosign sign --key <key path>|<kms uri> [--payload <path>] [-a key=value] [--upload=true|false] [-f] [-r] <image uri>
 
   # sign a container image with Google sign-in (experimental)
diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
index dd003b9910d..2eef8b90e88 100644
--- a/cmd/cosign/cli/sign/sign.go
+++ b/cmd/cosign/cli/sign/sign.go
@@ -57,6 +57,14 @@ import (
 	_ "github.com/sigstore/cosign/pkg/providers/all"
 )
 
+const TagReferenceMessage string = `WARNING: Image reference %s uses a tag, not a digest, to identify the image to sign.
+
+This can lead you to sign a different image than the intended one. Please use a
+digest (example.com/ubuntu@sha256:abc123...) rather than tag
+(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
+images by tag will be removed in a future release.
+`
+
 func ShouldUploadToTlog(ctx context.Context, ref name.Reference, force bool, noTlogUpload bool, url string) bool {
 	// Check whether experimental is on!
 	if !options.EnableExperimental() {
@@ -151,9 +159,9 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist
 			return fmt.Errorf("unable to resolve attachment %s for image %s", attachment, inputImg)
 		}
 
-                if _, ok := ref.(name.Tag); ok {
-                   fmt.Println("Warning: Tag used in reference to identify the image. Consider supplying the digest for immutability.")
-                }
+		if _, ok := ref.(name.Tag); ok {
+			fmt.Fprintf(os.Stderr, TagReferenceMessage, inputImg)
+		}
 
 		if digest, ok := ref.(name.Digest); ok && !recursive {
 			se, err := ociremote.SignedEntity(ref, opts...)
diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md
index e4a633eb7ba..6ee24a90e10 100644
--- a/doc/cosign_sign.md
+++ b/doc/cosign_sign.md
@@ -6,6 +6,10 @@ Sign the supplied container image.
 
 Sign the supplied container image.
 
+Images should be specified by digest (example.com/image@sha256:abcdef...) rather
+than tag (example.com/image:latest).
+
+
 ```
 cosign sign [flags]
 ```