diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a15f893d..87a3228b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -158,13 +158,25 @@ jobs:
     runs-on: ubuntu-20.04
     needs: test
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@v2
-      - name: Setup Go
+      -
+        name: Setup Go
         uses: actions/setup-go@v2
         with:
           go-version: '1.16'
-      - name: Build
+      -
+        name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.1.0'
+      -
+        name: Write cosign key to disk
+        id: write_key
+        run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
+      -
+        name: Build
         id: build
         run: |
           PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
@@ -172,3 +184,4 @@ jobs:
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
diff --git a/make/docker.mk b/make/docker.mk
index 8ed25219..edb82423 100644
--- a/make/docker.mk
+++ b/make/docker.mk
@@ -54,6 +54,8 @@ define DOCKER_BUILDX
 	# $(1) -- Image Tag
 	# $(2) -- Push (empty is no push | --push will push to dockerhub)
 	docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
+	echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
+
 endef
 
 # For non-master builds don't build the docker containers.