diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 6c3c27a7d..9f900b566 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -63,8 +63,10 @@ jobs:
 
       - name: container
         run: |
-          make ko-local 2>&1 | tee output.txt
-          docker run --rm $(tail -1 output.txt) version
+          make ko-local
+          docker run --rm $(cat rekorImagerefs) version
+          docker run --rm $(cat cliImagerefs) version
+          docker run --rm $(cat redisImagerefs) --version
 
   e2e:
     runs-on: ubuntu-20.04
diff --git a/.gitignore b/.gitignore
index cbd43328e..c913d5da8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,9 @@ rekorServerImagerefs
 rekorCliImagerefs
 trillianServerImagerefs
 trillianSignerImagerefs
+rekorImagerefs
+cliImagerefs
+redisImagerefs
 cosign.*
 signature
 rekor.pub
diff --git a/.ko.yaml b/.ko.yaml
index ecf440910..18c35c779 100644
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -46,3 +46,18 @@ builds:
   ldflags:
   - -extldflags "-static"
   - "{{ .Env.LDFLAGS }}"
+
+- id: backfill-redis
+  dir: .
+  main: ./cmd/backfill-redis
+  env:
+  - CGO_ENABLED=0
+  flags:
+  - -trimpath
+  - --tags
+  - "{{ .Env.GIT_HASH }}"
+  - --tags
+  - "{{ .Env.GIT_VERSION }}"
+  ldflags:
+  - -extldflags "-static"
+  - "{{ .Env.LDFLAGS }}"
diff --git a/Makefile b/Makefile
index 5f0e9e658..987e8c31f 100644
--- a/Makefile
+++ b/Makefile
@@ -82,6 +82,9 @@ rekor-cli: $(SRCS)
 rekor-server: $(SRCS)
 	CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/rekor-server
 
+backfill-redis: $(SRCS)
+	CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/backfill-redis
+
 test:
 	go test ./...
 
@@ -117,6 +120,12 @@ ko:
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		--image-refs rekorCliImagerefs github.com/sigstore/rekor/cmd/rekor-cli
 
+	# backfill-redis
+	LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
+	ko publish --base-import-paths \
+		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
+		--image-refs bRedisImagerefs github.com/sigstore/rekor/cmd/backfill-redis
+
 deploy:
 	LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -f config/
 
@@ -139,14 +148,19 @@ sign-keyless-ci: ko
 ko-local:
 	LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	ko publish --base-import-paths \
-		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
+		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local --image-refs rekorImagerefs \
 		github.com/sigstore/rekor/cmd/rekor-server
 
 	LDFLAGS="$(CLI_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	ko publish --base-import-paths \
-		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
+		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local --image-refs cliImagerefs \
 		github.com/sigstore/rekor/cmd/rekor-cli
 
+	LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
+	ko publish --base-import-paths \
+		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local --image-refs redisImagerefs \
+		github.com/sigstore/rekor/cmd/backfill-redis
+
 # This builds the trillian containers we rely on using ko for cross platform support
 .PHONY: ko-trillian
 ko-trillian:
diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go
index e87f82dfa..58f3c1797 100644
--- a/cmd/backfill-redis/main.go
+++ b/cmd/backfill-redis/main.go
@@ -33,9 +33,12 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"os"
 
 	"github.com/go-openapi/runtime"
 	radix "github.com/mediocregopher/radix/v4"
+	"sigs.k8s.io/release-utils/version"
+
 	"github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/client/entries"
 	"github.com/sigstore/rekor/pkg/generated/models"
@@ -63,11 +66,18 @@ var (
 	startIndex    = flag.Int("start", -1, "First index to backfill")
 	endIndex      = flag.Int("end", -1, "Last index to backfill")
 	rekorAddress  = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev")
+	versionFlag   = flag.Bool("version", false, "Print the current version of Backfill Redis")
 )
 
 func main() {
 	flag.Parse()
 
+	versionInfo := version.GetVersionInfo()
+	if *versionFlag {
+		fmt.Println(versionInfo.String())
+		os.Exit(0)
+	}
+
 	if *redisHostname == "" {
 		log.Fatal("address must be set")
 	}
@@ -84,6 +94,8 @@ func main() {
 		log.Fatal("rekor-address must be set")
 	}
 
+	log.Printf("running backfill redis Version: %s GitCommit: %s BuildDate: %s", versionInfo.GitVersion, versionInfo.GitCommit, versionInfo.BuildDate)
+
 	cfg := radix.PoolConfig{}
 	redisClient, err := cfg.New(context.Background(), "tcp", fmt.Sprintf("%s:%s", *redisHostname, *redisPort))
 	if err != nil {
diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh
index ca6b6f177..1688d0e77 100755
--- a/release/ko-sign-release-images.sh
+++ b/release/ko-sign-release-images.sh
@@ -36,6 +36,11 @@ if [[ ! -f rekorCliImagerefs ]]; then
     exit 1
 fi
 
+if [[ ! -f bRedisImagerefs ]]; then
+    echo "bRedisImagerefs not found"
+    exit 1
+fi
+
 if [[ ! -f trillianServerImagerefs ]]; then
     echo "trillianServerImagerefs not found"
     exit 1
@@ -49,11 +54,13 @@ fi
 echo "Signing images with GCP KMS Key..."
 cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat rekorServerImagerefs)
 cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat rekorCliImagerefs)
+cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat bRedisImagerefs)
 cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat trillianServerImagerefs)
 cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat trillianSignerImagerefs)
 
 echo "Signing images with Keyless..."
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat rekorServerImagerefs)
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat rekorCliImagerefs)
+cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat bRedisImagerefs)
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat trillianServerImagerefs)
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat trillianSignerImagerefs)
diff --git a/release/release.mk b/release/release.mk
index 19dc18209..19a1c6d63 100644
--- a/release/release.mk
+++ b/release/release.mk
@@ -5,12 +5,12 @@
 # used when releasing together with GCP CloudBuild
 .PHONY: release
 release:
-	CLI_LDFLAGS="$(CLI_LDFLAGS)" SERVER_LDFLAGS="$(SERVER_LDFLAGS)" goreleaser release --rm-dist --timeout 60m
+	CLI_LDFLAGS="$(CLI_LDFLAGS)" SERVER_LDFLAGS="$(SERVER_LDFLAGS)" goreleaser release --rm-dist --timeout 120m
 
 # used when need to validate the goreleaser
 .PHONY: snapshot
 snapshot:
-	CLI_LDFLAGS="$(CLI_LDFLAGS)" SERVER_LDFLAGS="$(SERVER_LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist
+	CLI_LDFLAGS="$(CLI_LDFLAGS)" SERVER_LDFLAGS="$(SERVER_LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist --timeout 120m
 
 ###########################
 # sign section
@@ -33,6 +33,10 @@ copy-rekor-server-signed-release-to-ghcr:
 copy-rekor-cli-signed-release-to-ghcr:
 	cosign copy $(KO_PREFIX)/rekor-cli:$(GIT_VERSION) $(GHCR_PREFIX)/rekor-cli:$(GIT_VERSION)
 
+.PHONY: copy-backfill-redis-signed-release-to-ghcr
+copy-backfill-redis-signed-release-to-ghcr:
+	cosign copy $(KO_PREFIX)/backfill-redis:$(GIT_VERSION) $(GHCR_PREFIX)/backfill-redis:$(GIT_VERSION)
+
 .PHONY: copy-trillian-log-server-signed-release-to-ghcr
 copy-trillian-log-server-signed-release-to-ghcr:
 	cosign copy $(KO_PREFIX)/trillian_log_server:$(GIT_VERSION) $(GHCR_PREFIX)/trillian_log_server:$(GIT_VERSION)
@@ -42,7 +46,7 @@ copy-trillian-log-signer-signed-release-to-ghcr:
 	cosign copy $(KO_PREFIX)/trillian_log_signer:$(GIT_VERSION) $(GHCR_PREFIX)/trillian_log_signer:$(GIT_VERSION)
 
 .PHONY: copy-signed-release-to-ghcr
-copy-signed-release-to-ghcr: copy-rekor-server-signed-release-to-ghcr copy-rekor-cli-signed-release-to-ghcr copy-trillian-log-signer-signed-release-to-ghcr copy-trillian-log-server-signed-release-to-ghcr
+copy-signed-release-to-ghcr: copy-rekor-server-signed-release-to-ghcr copy-rekor-cli-signed-release-to-ghcr copy-backfill-redis-signed-release-to-ghcr copy-trillian-log-signer-signed-release-to-ghcr copy-trillian-log-server-signed-release-to-ghcr
 
 ## --------------------------------------
 ## Dist / maybe we can deprecate