diff --git a/.github/workflows/test-iso.yml b/.github/workflows/test-iso.yml
index 0465b1b9..add0895d 100644
--- a/.github/workflows/test-iso.yml
+++ b/.github/workflows/test-iso.yml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -55,4 +56,4 @@ jobs:
         run: exit 1
       - name: Exit
         shell: bash
-        run: exit 0
\ No newline at end of file
+        run: exit 0
diff --git a/action.yml b/action.yml
index 83438cd9..783a1786 100644
--- a/action.yml
+++ b/action.yml
@@ -74,6 +74,9 @@ runs:
         ref: ${{ inputs.ACTION_REF }}
         submodules: recursive
 
+    - name: install cosign
+      uses: sigstore/cosign-installer@v3.4.0
+
     - name: Install dependencies
       shell: bash
       run: make install-deps
@@ -124,6 +127,12 @@ runs:
         sha256sum ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso > ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM
         mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/
 
+    - name: sign checksum
+      shell: bash
+      run: |
+        cosign sign-blob ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+        cosign verify-blob ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+
     - name: Upload ISO as artifact
       uses: actions/upload-artifact@v4
       with: