diff --git a/CHANGELOG.md b/CHANGELOG.md
index b74e517c15b..e9ad0ac3c2d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,130 @@
+# v1.9.0
+
+## Enhancements
+
+* Do not push to public rekor. (https://github.com/sigstore/cosign/pull/1931)
+* Add privacy statement for PII storage (https://github.com/sigstore/cosign/pull/1909)
+* Add support for "**" in image glob matching (https://github.com/sigstore/cosign/pull/1914)
+* [cosigned] Rename cosigned references to policy-controller (https://github.com/sigstore/cosign/pull/1893)
+* [cosigned] Remove undefined apiGroups from policy clusterrole (https://github.com/sigstore/cosign/pull/1896)
+* tree: support --attachment-tag-prefix (https://github.com/sigstore/cosign/pull/1900)
+* v1beta1 API for cosigned (https://github.com/sigstore/cosign/pull/1890)
+* tree: only report artifacts that are present (https://github.com/sigstore/cosign/pull/1872)
+* Check certificate policy flags with only a certificate (https://github.com/sigstore/cosign/pull/1869)
+* Normalize certificate flag names (https://github.com/sigstore/cosign/pull/1868)
+* Add rekor.0.pub TUF target to unit tests (https://github.com/sigstore/cosign/pull/1860)
+* If SBOM ref has .json suffix, assume JSON mediatype (https://github.com/sigstore/cosign/pull/1859)
+* sget: Enable KMS providers for sget (https://github.com/sigstore/cosign/pull/1852)
+* Use filepath match instead of glob (https://github.com/sigstore/cosign/pull/1842)
+* cosigned: Fix podAntiAffinity labels (https://github.com/sigstore/cosign/pull/1841)
+* Add function to explictly request a certain provider (https://github.com/sigstore/cosign/pull/1837)
+* Validate tlog entry when verifying signature via public key. (https://github.com/sigstore/cosign/pull/1833)
+* New flag --oidc-providers-disable to disable OIDC providers (https://github.com/sigstore/cosign/pull/1832)
+* Add auth flow option to KeyOpts. (https://github.com/sigstore/cosign/pull/1827)
+* cosigned: Test unsupported KMS providers (https://github.com/sigstore/cosign/pull/1820)
+* Refactor fulcio signer to take in KeyOpts (take 2) (https://github.com/sigstore/cosign/pull/1818)
+* feat: add rego policy support (https://github.com/sigstore/cosign/pull/1817)
+* [Cosigned] Add signature pull secrets (https://github.com/sigstore/cosign/pull/1805)
+* Check failure message of policy that fails with issuer mismatch (https://github.com/sigstore/cosign/pull/1815)
+* Support PKCS1 encoded and non-ECDSA CT log public keys (https://github.com/sigstore/cosign/pull/1806)
+
+## Documention
+
+* update README with ebpf modules (https://github.com/sigstore/cosign/pull/1888)
+* Point git commmit FUN.md to gitsign! (https://github.com/sigstore/cosign/pull/1874)
+* Add IBM Cloud Container Registry to tested registry list (https://github.com/sigstore/cosign/pull/1856)
+* Document Staging instance usage with Keyless (https://github.com/sigstore/cosign/pull/1824)
+
+## Bug Fixes
+
+* fix: fix #1930 for AWS KMS formats (https://github.com/sigstore/cosign/pull/1946)
+* fix: fix fetching updated targets from TUF root (https://github.com/sigstore/cosign/pull/1921)
+* Fix piv-tool generate-key command in TOKENS doc (https://github.com/sigstore/cosign/pull/1850)
+
+## Others
+
+* remove deprecation (https://github.com/sigstore/cosign/pull/1952)
+* Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 (https://github.com/sigstore/cosign/pull/1949)
+* update cross-builder image to use go1.17.11 (https://github.com/sigstore/cosign/pull/1950)
+* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (https://github.com/sigstore/cosign/pull/1945)
+* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/cosign/pull/1944)
+* Bump actions/cache from 3.0.2 to 3.0.3 (https://github.com/sigstore/cosign/pull/1937)
+* Bump mikefarah/yq from 4.25.1 to 4.25.2 (https://github.com/sigstore/cosign/pull/1933)
+* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (https://github.com/sigstore/cosign/pull/1924)
+* Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 (https://github.com/sigstore/cosign/pull/1926)
+* Bump actions/setup-go from 3.1.0 to 3.2.0 (https://github.com/sigstore/cosign/pull/1927)
+* Bump actions/dependency-review-action from 1.0.1 to 1.0.2 (https://github.com/sigstore/cosign/pull/1915)
+* Bump google-github-actions/auth from 0.7.3 to 0.8.0 (https://github.com/sigstore/cosign/pull/1916)
+* Bump ossf/scorecard-action from 1.0.4 to 1.1.0 (https://github.com/sigstore/cosign/pull/1922)
+* Bump google.golang.org/api from 0.80.0 to 0.81.0 (https://github.com/sigstore/cosign/pull/1918)
+* Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 (https://github.com/sigstore/cosign/pull/1919)
+* Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 (https://github.com/sigstore/cosign/pull/1920)
+* Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 (https://github.com/sigstore/cosign/pull/1913)
+* Move deprecated dependency: google/trillian/merkle to transparency-dev (https://github.com/sigstore/cosign/pull/1910)
+* Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 (https://github.com/sigstore/cosign/pull/1902)
+* Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 (https://github.com/sigstore/cosign/pull/1883)
+* Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 (https://github.com/sigstore/cosign/pull/1906)
+* Bump actions/upload-artifact from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1907)
+* The timeout arg in golangci-lint has been moved to the generic args param. (https://github.com/sigstore/cosign/pull/1901)
+* Update go-tuf (https://github.com/sigstore/cosign/pull/1894)
+* Bump google.golang.org/api from 0.79.0 to 0.80.0 (https://github.com/sigstore/cosign/pull/1897)
+* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (https://github.com/sigstore/cosign/pull/1898)
+* Bump github/codeql-action from 2.1.10 to 2.1.11 (https://github.com/sigstore/cosign/pull/1891)
+* Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d (https://github.com/sigstore/cosign/pull/1889)
+* Remove dependency on deprecated github.com/pkg/errors (https://github.com/sigstore/cosign/pull/1887)
+* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (https://github.com/sigstore/cosign/pull/1884)
+* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (https://github.com/sigstore/cosign/pull/1886)
+* go.mod: format go.mod (https://github.com/sigstore/cosign/pull/1879)
+* chore: remove regex from image pattern (https://github.com/sigstore/cosign/pull/1873)
+* Bump actions/dependency-review-action (https://github.com/sigstore/cosign/pull/1875)
+* Bump actions/github-script from 6.0.0 to 6.1.0 (https://github.com/sigstore/cosign/pull/1876)
+* Bump actions/setup-go from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1870)
+* Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go (https://github.com/sigstore/cosign/pull/1861)
+* Bump github/codeql-action from 2.1.9 to 2.1.10 (https://github.com/sigstore/cosign/pull/1863)
+* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (https://github.com/sigstore/cosign/pull/1864)
+* Bump google.golang.org/api from 0.78.0 to 0.79.0 (https://github.com/sigstore/cosign/pull/1858)
+* Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 (https://github.com/sigstore/cosign/pull/1857)
+* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (https://github.com/sigstore/cosign/pull/1851)
+* remove exclude from go.mod (https://github.com/sigstore/cosign/pull/1846)
+* Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 (https://github.com/sigstore/cosign/pull/1843)
+* Bump google.golang.org/api from 0.77.0 to 0.78.0 (https://github.com/sigstore/cosign/pull/1838)
+* Bump mikefarah/yq from 4.24.5 to 4.25.1 (https://github.com/sigstore/cosign/pull/1831)
+* Bump google.golang.org/api from 0.76.0 to 0.77.0 (https://github.com/sigstore/cosign/pull/1829)
+* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (https://github.com/sigstore/cosign/pull/1830)
+* Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 (https://github.com/sigstore/cosign/pull/1828)
+* chore(deps): Included dependency review (https://github.com/sigstore/cosign/pull/1792)
+* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (https://github.com/sigstore/cosign/pull/1813)
+* Bump github/codeql-action from 2.1.8 to 2.1.9 (https://github.com/sigstore/cosign/pull/1814)
+* Bump google.golang.org/api from 0.75.0 to 0.76.0 (https://github.com/sigstore/cosign/pull/1810)
+* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (https://github.com/sigstore/cosign/pull/1809)
+* Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 (https://github.com/sigstore/cosign/pull/1808)
+
+## Contributors
+
+* Asra Ali (@asraa)
+* Adolfo García Veytia (@puerco)
+* Andrés Torres (@elfotografo007)
+* Billy Lynch (@wlynch)
+* Carlos Tadeu Panato Junior (@cpanato)
+* Dan Lorenc (@dlorenc)
+* Denny (@DennyHoang)
+* Eitan Yarmush (@EItanya)
+* Hayden Blauzvern (@haydentherapper)
+* Hector Fernandez (@hectorj2f)
+* Jack Baines (@bainsy88)
+* Jason Hall (@imjasonh)
+* Josh Dolitsky (@jdolitsky)
+* Kenny Leung (@k4leung4)
+* Koichi Shiraishi (@zchee)
+* Naveen Srinivasan (@naveensrinivasan)
+* Neal McBurnett (@nealmcb)
+* Priya Wadhwa (@priyawadhwa)
+* Rob Best (@ribbybibby)
+* Tomasz Janiszewski (@janisz)
+* Ville Aikas (@vaikas)
+* Vladimir Nachev (@vpnachev)
+
+
 # v1.8.0
 
 _NOTE_: If you use Fulcio to issue certificates you will need to use this release.
@@ -36,6 +163,8 @@ _NOTE_: If you use Fulcio to issue certificates you will need to use this releas
 
 ## Others
 
+* update changelog for 1.8.0 (https://github.com/sigstore/cosign/pull/1807)
+* add changelog for release v1.8.0 (https://github.com/sigstore/cosign/pull/1803)
 * Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 (https://github.com/sigstore/cosign/pull/1758)
 * Bump google-github-actions/auth from 0.7.0 to 0.7.1 (https://github.com/sigstore/cosign/pull/1801)
 * Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (https://github.com/sigstore/cosign/pull/1800)