diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c65853df4..210b18aad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,10 @@ on:
     tags:
     - v*.*.*
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -19,6 +23,10 @@ jobs:
       uses: actions/setup-go@v3
       with:
         go-version: 1.18
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v2.2.1
+      with:
+        cosign-release: 'v1.7.2'
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 9ee257148..21ab440ec 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -22,6 +22,19 @@ changelog:
   skip: true
 checksum:
   name_template: 'checksums.txt'
+signs:
+  - cmd: cosign
+    env:
+    - COSIGN_EXPERIMENTAL=1
+    signature: '${artifact}.keyless.sig'
+    certificate: '${artifact}.pem'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
 release:
   github:
     owner: terraform-linters
diff --git a/README.md b/README.md
index 14aaed1ac..1531627ab 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,25 @@ Chocolatey (Windows):
 choco install tflint
 ```
 
+### Verification
+
+GnuPG
+
+```
+gpg --import 8CE69160EB3F2FE9.key
+gpg --verify checksum.txt.sig checksum.txt
+sha256sum --ignore-missing -c checksums.txt
+```
+
+Cosign (experimental)
+
+```
+COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature checksums.txt.keyless.sig checksums.txt
+sha256sum --ignore-missing -c checksums.txt
+```
+
+**IMPORTANT:** Keyless Signing is in development and you should not completely trust this way. For instance, you have not validated the OIDC subject claim, so it is not guaranteed to be the public key issued by the maintainers.
+
 ### Docker
 
 Instead of installing directly, you can use the Docker images: