diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e2a93b3..e66f8a3 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,6 +11,7 @@ on:
       - main
 
 permissions:
+  id-token: write
   contents: write
   packages: write
 
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index e492896..8c56007 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -87,3 +87,23 @@ homebrew_casks:
             system_command "/usr/bin/xattr",
                            args: ["-dr", "com.apple.quarantine", "#{staged_path}/semver-generator"]
           end
+
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sigstore.json"
+    args:
+      - sign-blob
+      - "--bundle=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+    output: true
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    output: true
+    args:
+      - sign
+      - "${artifact}@${digest}"
+      - "--yes"
diff --git a/README.md b/README.md
index 2406385..953ab61 100644
--- a/README.md
+++ b/README.md
@@ -146,6 +146,25 @@ jobs:
 docker pull ghcr.io/lukaszraczylo/semver-generator:latest
 ```
 
+#### Verifying Release Signatures
+
+All release checksums and Docker images are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
+
+```bash
+# Verify checksum signature
+cosign verify-blob \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/semver-generator/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --bundle "<checksums-file>.sigstore.json" \
+  <checksums-file>
+
+# Verify Docker image
+cosign verify \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/semver-generator/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  ghcr.io/lukaszraczylo/semver-generator:latest
+```
+
 **Docker supported architectures:**
 Linux/arm64, Linux/amd64