diff --git a/.github/workflows/ci-build-binaries.yml b/.github/workflows/ci-build-binaries.yml
index 4990d1627a18..8c0b63eadc1d 100644
--- a/.github/workflows/ci-build-binaries.yml
+++ b/.github/workflows/ci-build-binaries.yml
@@ -48,6 +48,9 @@ jobs:
     env:
       PULUMI_VERSION: ${{ inputs.version }}
 
+    permissions:
+      id-token: write
+
     steps:
       - name: "Windows cache workaround"
         # https://github.com/actions/cache/issues/752#issuecomment-1222415717
@@ -80,6 +83,7 @@ jobs:
       - name: Setup versioning env vars
         run: |
           ./scripts/versions.sh | tee -a "${GITHUB_ENV}"
+      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -116,4 +120,5 @@ jobs:
           retention-days: 1
           path: |
             goreleaser/*.tar.gz
+            goreleaser/*.sig
             goreleaser/*.zip
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4914670397b7..4f6c4cf2cdf2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,7 @@ name: CI
 
 permissions:
   contents: read
+  id-token: write
 
 on:
   workflow_call:
diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml
index 7156c82b7200..b8b5a6dc1ff0 100644
--- a/.github/workflows/on-pr.yml
+++ b/.github/workflows/on-pr.yml
@@ -3,6 +3,7 @@ name: Pull Request
 permissions:
   contents: write
   pull-requests: write
+  id-token: write
 
 on:
   pull_request:
@@ -42,6 +43,7 @@ jobs:
     uses: ./.github/workflows/ci.yml
     permissions:
       contents: read
+      id-token: write
     with:
       ref: ${{ github.ref }}
       version: ${{ needs.info.outputs.version }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index eb3031a9776d..7199c2fce7ec 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -58,6 +58,17 @@ archives:
       strip_parent: true
   name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
 
+signs:
+- cmd: cosign
+  certificate: '${artifact}.pem'
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
+  artifacts: binary
+  output: true
+
 snapshot:
   name_template: "{{ .Version }}-SNAPSHOT"
 
diff --git a/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml
new file mode 100644
index 000000000000..8abd9f4b57f4
--- /dev/null
+++ b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml
@@ -0,0 +1,4 @@
+changes:
+- type: feat
+  scope: ci
+  description: sign pulumi binaries with cosign