diff --git a/release/cloudbuild_withsecure_signature.yaml b/release/cloudbuild_withsecure_signature.yaml
new file mode 100644
index 0000000..c8cc107
--- /dev/null
+++ b/release/cloudbuild_withsecure_signature.yaml
@@ -0,0 +1,41 @@
+# This Cloud Build trigger copies the WithSecure signature for a certain
+# Trusted OS release version to the bucket (and "subdir") that contains the
+# Trusted OS as built by transparency.dev and the detached signature as signed
+# by transparency.dev.
+#
+# This is the second Cloud Build trigger for a given release. The first should
+# have already created the Trusted OS elf file and the transparency.dev
+# detached signature.
+#
+# The Trusted OS elf should only be used if both signatures are verified
+# sucessfully.
+#
+### WithSecure Expectations ####
+#
+# WithSecure is expected to overwrite the _WITHSECURE_SIG_FILE and
+# _RELEASE_VERSION_FILE in the Github repo for each release. Cloud Build then
+# reads the _RELEASE_VERSION_FILE here, allowing it copy the signature to the
+# proper "subdir" (as mentioned above).
+#
+# The last piece of config which must be coordinated with WithSecure is how
+# this config gets triggered (and is captured in the GCP project rather than
+# this file). This file will be configured to run when the repo is tagged with
+# `withsecure_signature`.
+steps:
+  # Read the release version for which the WithSecure signature is. Cloud Build
+  # does not allow dynamically setting env vars, so writing to a file as a
+  # workaround:
+  # https://stackoverflow.com/questions/52337831/how-do-i-set-an-environment-or-substitution-variable-via-a-step-in-google-cloud.
+  - name: ubuntu
+    args: ['bash', '-c', 'cat ${_WITHSECURE_DIR}/${_RELEASE_VERSION_FILE} > _RELEASE_VERSION']
+  # Copy the WithSecure signature to the bucket.
+  - name: gcr.io/cloud-builders/gcloud
+    entrypoint: sh
+    args:
+      - -c
+      - 'gcloud storage cp ${_WITHSECURE_DIR}/${_WITHSECURE_SIG_FILE} gs://${_TRUSTED_OS_BUCKET}/$(cat _RELEASE_VERSION)/trusted_os_withsecure.sig'
+substitutions:
+  _TRUSTED_OS_BUCKET: trusted-os-artifacts-ci
+  _WITHSECURE_DIR: release/withsecure
+  _WITHSECURE_SIG_FILE: trusted_os.sig
+  _RELEASE_VERSION_FILE: release_version.txt
\ No newline at end of file