diff --git a/.drone.yml b/.drone.yml
index 6765a7b..3eba974 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -26,6 +26,20 @@ get:
   path: odit-git-bot
   name: sshkey
 
+---
+kind: secret
+name: cosign_key
+get:
+  path: cosign
+  name: cosign.key
+
+---
+kind: secret
+name: cosign_password
+get:
+  path: cosign
+  name: cosign.password
+
 ---
 kind: pipeline
 type: kubernetes
@@ -78,7 +92,7 @@ type: kubernetes
 name: build:tags
 
 steps:
-  - name: build $DRONE_TAG
+  - name: build:tag
     image: plugins/docker
     user: 0
     depends_on: [clone]
@@ -92,6 +106,23 @@ steps:
         - "${DRONE_TAG}"
       registry: registry.odit.services
       mtu: 1000
+  - name: sign:image:tag
+    depends_on: [build:tag]
+    image: registry.odit.services/hub/library/alpine:edge
+    commands:
+      - apk add cosign docker
+      - echo $COSIGN_KEY > cosign.key
+      - echo $DOCKER_PASSWORD | docker login registry.odit.services -u $DOCKER_USERNAME --password-stdin
+      - cosign sign --key cosign.key registry.odit.services/library/nginx-brotli:${DRONE_TAG}
+    environment:
+      COSIGN_KEY:
+        from_secret: cosign_key
+      COSIGN_PASSWORD:
+        from_secret: cosign_password
+      DOCKER_PASSWORD:
+        from_secret: docker_password
+      DOCKER_USERNAME:
+        from_secret: docker_username
 trigger:
   event:
     - tag