diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d0eceac8..c722da52 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: write # needed to write releases
   id-token: write # needed for keyless signing
+  packages: write # needed for push images
 
 jobs:
   release:
@@ -23,13 +24,33 @@ jobs:
           go-version: '1.22'
           check-latest: true
 
+      - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 # v0.2
+
       - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       - uses: anchore/sbom-action/download-syft@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10
 
+      - name: Set env
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV"
+
+      - name: Login to GitHub Containers
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          KO_DOCKER_REPO: ghcr.io/sigstore/gitsign
+
+      - name: sign image
+        run: |
+          digest=$(crane digest ghcr.io/sigstore/gitsign:${{ env.RELEASE_VERSION }})
+          cosign sign "ghcr.io/sigstore/gitsign@${digest}"
+        env:
+          COSIGN_YES: true
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 33f57a15..07cfd7f5 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,70 +1,88 @@
 project_name: gitsign
 
+gomod:
+  proxy: true
+
 builds:
-- id: gitsign
-  mod_timestamp: '{{ .CommitTimestamp }}'
-  env:
-  - CGO_ENABLED=0
-  flags:
-  - -trimpath
-  goos:
-  - linux
-  - darwin
-  - freebsd
-  - windows
-  goarch:
-  - amd64
-  - arm64
-  ldflags:
-  - "-s -w"
-  - "-extldflags=-zrelro"
-  - "-extldflags=-znow"
-  - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}"
+  - id: gitsign
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    goos:
+      - linux
+      - darwin
+      - freebsd
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}"
 
-- id: gitsign-credential-cache
-  mod_timestamp: '{{ .CommitTimestamp }}'
-  main: ./cmd/gitsign-credential-cache
-  binary: gitsign-credential-cache
-  env:
-  - CGO_ENABLED=0
-  flags:
-  - -trimpath
-  goos:
-  - linux
-  - darwin
-  - freebsd
-  # - windows # TODO: fix undefined: syscall.Umask for windows builds
-  goarch:
-  - amd64
-  - arm64
-  ldflags:
-  - "-s -w"
-  - "-extldflags=-zrelro"
-  - "-extldflags=-znow"
-  - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}"
+  - id: gitsign-credential-cache
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    main: ./cmd/gitsign-credential-cache
+    binary: gitsign-credential-cache
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    goos:
+      - linux
+      - darwin
+      - freebsd
+      # - windows # TODO: fix undefined: syscall.Umask for windows builds
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}"
 
 nfpms:
-- id: default
-  package_name: gitsign
-  vendor: Sigstore
-  homepage: https://github.com/sigstore/gitsign
-  maintainer: Billy Lynch <info@sigstore.dev>
-  description: Keyless git commit signing using OIDC identity
-  builds:
-    - gitsign
-    - gitsign-credential-cache
-  formats:
-  - apk
-  - deb
-  - rpm
+  - id: default
+    package_name: gitsign
+    vendor: Sigstore
+    homepage: https://github.com/sigstore/gitsign
+    maintainer: Billy Lynch <info@sigstore.dev>
+    description: Keyless git commit signing using OIDC identity
+    builds:
+      - gitsign
+      - gitsign-credential-cache
+    formats:
+      - apk
+      - deb
+      - rpm
 
 archives:
-- id: binary
-  format: binary
-  allow_different_binary_count: true
+  - id: binary
+    format: binary
+    allow_different_binary_count: true
 
-gomod:
-  proxy: true
+kos:
+  - id: gitsign
+    repository: github.com/sigstore/gitsign
+    tags:
+      - 'v{{ .Version }}'
+    ldflags:
+      - "-s -w -extldflags=-zrelro -extldflags=-znow -buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}"
+    main: .
+    bare: true
+    preserve_import_paths: false
+    base_import_paths: false
+    sbom: spdx
+    base_image: cgr.dev/chainguard/git:latest
+    platforms:
+      - linux/amd64
+      - linux/arm64
+      - linux/arm
 
 checksum:
   name_template: 'checksums.txt'
@@ -73,24 +91,24 @@ source:
   enabled: true
 
 sboms:
-- id: binaries
-  artifacts: binary
-- id: packages
-  artifacts: package
+  - id: binaries
+    artifacts: binary
+  - id: packages
+    artifacts: package
 
 signs:
-- cmd: cosign
-  env:
-  - COSIGN_YES=true
-  certificate: '${artifact}.pem'
-  signature: '${artifact}.sig'
-  args:
-    - sign-blob
-    - '--output-certificate=${certificate}'
-    - '--output-signature=${signature}'
-    - '${artifact}'
-  artifacts: binary
-  output: true
+  - cmd: cosign
+    env:
+      - COSIGN_YES=true
+    certificate: '${artifact}.pem'
+    signature: '${artifact}.sig'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: binary
+    output: true
 
 release:
   prerelease: allow