diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 31e373e3dc..f45d966d36 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,14 +17,10 @@ jobs:
       - uses: actions/setup-go@v2
         with:
           go-version: 1.17.x
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.3.0'
+      - uses: sigstore/cosign-installer@v1.4.1
       - uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_EXPERIMENTAL: 1
diff --git a/.goreleaser.yml b/.goreleaser.yml
index eae3839340..ebd7424408 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -36,7 +36,16 @@ checksum:
   name_template: 'checksums.txt'
 signs:
   - cmd: cosign
-    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"]
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    output: true
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
     artifacts: checksum
 snapshot:
   name_template: "{{ .Tag }}-next"