diff --git a/hack/release/common.sh b/hack/release/common.sh
index 2a80f15f9ba0..8d424471a42b 100644
--- a/hack/release/common.sh
+++ b/hack/release/common.sh
@@ -135,6 +135,15 @@ publishHelmChart() {
     helm push "${HELM_CHART_FILE_NAME}" "oci://${RELEASE_REPO}"
     rm "${HELM_CHART_FILE_NAME}"
     cd ..
+
+    cosignHelmChart "${RELEASE_REPO}" "${HELM_CHART_VERSION}"
+}
+
+cosignHelmChart() {
+    RELEASE_REPO=$1
+    HELM_CHART_VERSION=$2
+    digest="$(crane digest "${RELEASE_REPO}:${HELM_CHART_VERSION}")"
+    cosign sign --yes "${RELEASE_REPO}:${HELM_CHART_VERSION}@${digest}"
 }
 
 createNewWebsiteDirectory() {
diff --git a/hack/toolchain.sh b/hack/toolchain.sh
index e1f89bc46bf8..b4a8fe536d3e 100755
--- a/hack/toolchain.sh
+++ b/hack/toolchain.sh
@@ -23,6 +23,7 @@ tools() {
     go install github.com/onsi/ginkgo/v2/ginkgo@latest
     go install github.com/rhysd/actionlint/cmd/actionlint@latest
     go install github.com/mattn/goveralls@latest
+    go install github.com/google/go-containerregistry/cmd/crane@latest
 
     if ! echo "$PATH" | grep -q "${GOPATH:-undefined}/bin\|$HOME/go/bin"; then
         echo "Go workspace's \"bin\" directory is not in PATH. Run 'export PATH=\"\$PATH:\${GOPATH:-\$HOME/go}/bin\"'."