diff --git a/CHANGELOG.md b/CHANGELOG.md
index b74e517c15b..de987d3c5b8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,130 @@
+# v1.9.0
+
+## Enhancements
+
+* Do not push to public rekor. (#1931)
+* Add privacy statement for PII storage (#1909)
+* Add support for "**" in image glob matching (#1914)
+* [cosigned] Rename cosigned references to policy-controller (#1893)
+* [cosigned] Remove undefined apiGroups from policy clusterrole (#1896)
+* tree: support --attachment-tag-prefix (#1900)
+* v1beta1 API for cosigned (#1890)
+* tree: only report artifacts that are present (#1872)
+* Check certificate policy flags with only a certificate (#1869)
+* Normalize certificate flag names (#1868)
+* Add rekor.0.pub TUF target to unit tests (#1860)
+* If SBOM ref has .json suffix, assume JSON mediatype (#1859)
+* sget: Enable KMS providers for sget (#1852)
+* Use filepath match instead of glob (#1842)
+* cosigned: Fix podAntiAffinity labels (#1841)
+* Add function to explictly request a certain provider (#1837)
+* Validate tlog entry when verifying signature via public key. (#1833)
+* New flag --oidc-providers-disable to disable OIDC providers (#1832)
+* Add auth flow option to KeyOpts. (#1827)
+* cosigned: Test unsupported KMS providers (#1820)
+* Refactor fulcio signer to take in KeyOpts (take 2) (#1818)
+* feat: add rego policy support (#1817)
+* [Cosigned] Add signature pull secrets (#1805)
+* Check failure message of policy that fails with issuer mismatch (#1815)
+* Support PKCS1 encoded and non-ECDSA CT log public keys (#1806)
+
+## Documention
+
+* update README with ebpf modules (#1888)
+* Point git commmit FUN.md to gitsign! (#1874)
+* Add IBM Cloud Container Registry to tested registry list (#1856)
+* Document Staging instance usage with Keyless (#1824)
+
+## Bug Fixes
+
+* fix: fix #1930 for AWS KMS formats (#1946)
+* fix: fix fetching updated targets from TUF root (#1921)
+* Fix piv-tool generate-key command in TOKENS doc (#1850)
+
+## Others
+
+* remove deprecation (#1952)
+* Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 (#1949)
+* update cross-builder image to use go1.17.11 (#1950)
+* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (#1945)
+* Bump github.com/secure-systems-lab/go-securesystemslib (#1944)
+* Bump actions/cache from 3.0.2 to 3.0.3 (#1937)
+* Bump mikefarah/yq from 4.25.1 to 4.25.2 (#1933)
+* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#1924)
+* Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 (#1926)
+* Bump actions/setup-go from 3.1.0 to 3.2.0 (#1927)
+* Bump actions/dependency-review-action from 1.0.1 to 1.0.2 (#1915)
+* Bump google-github-actions/auth from 0.7.3 to 0.8.0 (#1916)
+* Bump ossf/scorecard-action from 1.0.4 to 1.1.0 (#1922)
+* Bump google.golang.org/api from 0.80.0 to 0.81.0 (#1918)
+* Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 (#1919)
+* Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 (#1920)
+* Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 (#1913)
+* Move deprecated dependency: google/trillian/merkle to transparency-dev (#1910)
+* Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 (#1902)
+* Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 (#1883)
+* Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 (#1906)
+* Bump actions/upload-artifact from 3.0.0 to 3.1.0 (#1907)
+* The timeout arg in golangci-lint has been moved to the generic args param. (#1901)
+* Update go-tuf (#1894)
+* Bump google.golang.org/api from 0.79.0 to 0.80.0 (#1897)
+* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (#1898)
+* Bump github/codeql-action from 2.1.10 to 2.1.11 (#1891)
+* Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d (#1889)
+* Remove dependency on deprecated github.com/pkg/errors (#1887)
+* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (#1884)
+* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (#1886)
+* go.mod: format go.mod (#1879)
+* chore: remove regex from image pattern (#1873)
+* Bump actions/dependency-review-action (#1875)
+* Bump actions/github-script from 6.0.0 to 6.1.0 (#1876)
+* Bump actions/setup-go from 3.0.0 to 3.1.0 (#1870)
+* Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go (#1861)
+* Bump github/codeql-action from 2.1.9 to 2.1.10 (#1863)
+* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#1864)
+* Bump google.golang.org/api from 0.78.0 to 0.79.0 (#1858)
+* Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 (#1857)
+* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (#1851)
+* remove exclude from go.mod (#1846)
+* Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 (#1843)
+* Bump google.golang.org/api from 0.77.0 to 0.78.0 (#1838)
+* Bump mikefarah/yq from 4.24.5 to 4.25.1 (#1831)
+* Bump google.golang.org/api from 0.76.0 to 0.77.0 (#1829)
+* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (#1830)
+* Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 (#1828)
+* chore(deps): Included dependency review (#1792)
+* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (#1813)
+* Bump github/codeql-action from 2.1.8 to 2.1.9 (#1814)
+* Bump google.golang.org/api from 0.75.0 to 0.76.0 (#1810)
+* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#1809)
+* Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 (#1808)
+
+## Contributors
+
+* Asra Ali (@asraa)
+* Adolfo García Veytia (@puerco)
+* Andrés Torres (@elfotografo007)
+* Billy Lynch (@wlynch)
+* Carlos Tadeu Panato Junior (@cpanato)
+* Dan Lorenc (@dlorenc)
+* Denny (@DennyHoang)
+* Eitan Yarmush (@EItanya)
+* Hayden Blauzvern (@haydentherapper)
+* Hector Fernandez (@hectorj2f)
+* Jack Baines (@bainsy88)
+* Jason Hall (@imjasonh)
+* Josh Dolitsky (@jdolitsky)
+* Kenny Leung (@k4leung4)
+* Koichi Shiraishi (@zchee)
+* Naveen Srinivasan (@naveensrinivasan)
+* Neal McBurnett (@nealmcb)
+* Priya Wadhwa (@priyawadhwa)
+* Rob Best (@ribbybibby)
+* Tomasz Janiszewski (@janisz)
+* Ville Aikas (@vaikas)
+* Vladimir Nachev (@vpnachev)
+
+
 # v1.8.0
 
 _NOTE_: If you use Fulcio to issue certificates you will need to use this release.
@@ -36,6 +163,8 @@ _NOTE_: If you use Fulcio to issue certificates you will need to use this releas
 
 ## Others
 
+* update changelog for 1.8.0 (#1807)
+* add changelog for release v1.8.0 (#1803)
 * Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 (https://github.com/sigstore/cosign/pull/1758)
 * Bump google-github-actions/auth from 0.7.0 to 0.7.1 (https://github.com/sigstore/cosign/pull/1801)
 * Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (https://github.com/sigstore/cosign/pull/1800)