diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5a86ff38feced5e7cff70fa9a2cecf16f443068c..c06fd987d1d08d6df9dd906e611ecca97f7b4ee0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -182,7 +182,7 @@ shellcheck:
 .gitlab-opentofu-image:deploy:base:
   stage: deploy
   image:
-    name: gcr.io/go-containerregistry/crane:debug
+    name: alpine/crane:0.20.0
     entrypoint: [""]
   variables:
     GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
@@ -219,8 +219,18 @@ shellcheck:
 
 gitlab-opentofu-image:deploy:
   extends: ['.gitlab-opentofu-image:deploy:base']
+  variables:
+    COSIGN_YES: "true"  # Used by Cosign to skip confirmation prompts for non-destructive operations
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
   script:
+    # Install dependencies, can't use before_script because of the job we are extending.
+    - apk add --update cosign
+    # Release image
     - crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
+    # Sign image
+    - cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
     - export image_digest="$(crane digest $RELEASE_IMAGE)"
     - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
   artifacts:
diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index a1ad5a75a5d3fdfa0896ae43b314f6e7092277cf..7a09bf94776d18abe41e6c85c6309c4f96aabf73 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -328,6 +328,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+Check the following docs to learn more about verifying the signature:
+
+- https://docs.sigstore.dev/cosign/verifying/verify/
+- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).
diff --git a/.gitlab/release-notes.md.template b/.gitlab/release-notes.md.template
index 36585db15fb8ee85cb1a176a8f10bf8a0f944af6..40dedc61692c7eccb7b50ef102e99d8bdf4a44f0 100644
--- a/.gitlab/release-notes.md.template
+++ b/.gitlab/release-notes.md.template
@@ -43,6 +43,8 @@ And with the follow base OS images:
 - `alpine`, use `base_os: alpine` input to use it (default).
 - `debian`, use `base_os: debian` input to use it.
 
+The images have been signed with `cosign`.
+
 > **Note:**
 >
 > When using the component with the inputs `version` and `opentofu_version`,<br>
diff --git a/README.md b/README.md
index 1a1eefe8be46748aefe50ca78e95d97579eba5b4..0402b3ce4ce485b089bcd6311605805f394202e1 100644
--- a/README.md
+++ b/README.md
@@ -347,6 +347,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+Check the following docs to learn more about verifying the signature:
+
+- https://docs.sigstore.dev/cosign/verifying/verify/
+- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).