diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0a75cb50cfe3..4df7e7e916e5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write  # for cosign
     env:
       # https://github.com/actions/setup-go#supported-version-syntax
       # ex:
@@ -57,6 +60,9 @@ jobs:
       - name: Install snapcraft
         run: sudo snap install snapcraft --classic
 
+      - name: Set up cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
diff --git a/.goreleaser.yml b/.goreleaser.yml
index d40fb1a4a034..c699b0513705 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -87,6 +87,17 @@ release:
 
     For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#{{ .Major }}{{ .Minor }}{{ .Patch }}).
 
+signs:
+  - signature: ${artifact}.sigstore.json
+    cmd: cosign
+    args:
+      - sign-blob
+      - --bundle=${signature}
+      - --new-bundle-format
+      - --yes
+      - ${artifact}
+    artifacts: checksum
+
 source:
   enabled: true
   name_template: '{{ .ProjectName }}-{{ .Version }}-source'