diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6ff818498e5e82ae32c9e6f6da75c4aa05be3a78..36cc5ffaa6c991289be49ca0cf5985c8cd29d104 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -55,6 +55,7 @@ stages:
   - quality
   - deploy
   - sign
+  - verify
   - release
   - cleanup
 
@@ -271,6 +272,22 @@ gitlab-opentofu-image:sign:
   rules:
     - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'
 
+gitlab-opentofu-image:verify-signature:
+  extends: '.image-matrix:deploy'
+  stage: verify
+  image: alpine:3.20.3
+  before_script:
+    - *image-matrix-deploy-release-name-script
+    - apk add --update cosign
+  script:
+    - cosign verify
+      --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG"
+      --certificate-oidc-issuer "https://gitlab.com"
+      "$RELEASE_IMAGE"
+      "$(crane digest --full-ref "$RELEASE_IMAGE")"
+  rules:
+    - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'
+
 .release:base:
   stage: release
   image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0