diff --git a/.github/workflows/release-stable.yaml b/.github/workflows/release-stable.yaml
index 0bbab14a3..4da1d7e70 100644
--- a/.github/workflows/release-stable.yaml
+++ b/.github/workflows/release-stable.yaml
@@ -30,16 +30,21 @@ jobs:
           apt-get update
           apt-get install -y --no-install-recommends \
             fury-cli
+          curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+          mv cosign-linux-amd64 /usr/local/bin/cosign
+          chmod +x /usr/local/bin/cosign
 
       - name: Generate GoReleaser configuration
         run: |
           ytt -f .goreleaser-stable.yaml > goreleaser-stable.yaml
 
-      - name: Write cosign key to file
+      - name: Write cosign key and pubkey to file
         run: |
           echo "$COSIGN_KEY" > cosign.key
           chmod 600 cosign.key
+          echo "$COSIGN_PASSWORD" | cosign public-key --key cosign.key > public.key
         env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
 
       - name: Run GoReleaser
diff --git a/.goreleaser-stable.yaml b/.goreleaser-stable.yaml
index 1b236db8d..5394e434c 100644
--- a/.goreleaser-stable.yaml
+++ b/.goreleaser-stable.yaml
@@ -46,6 +46,8 @@ release:
 
     This is a stable release of kraftkit.
   name_template: 'v{{ .Version }}'
+  extra_files:
+    - public.key
 
 signs:
   - id: cosign