diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 9859840..911869b 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -36,7 +36,8 @@ jobs:
           images: ghcr.io/${{ github.repository }}
           tags: |
             type=ref,event=branch,enable=false,priority=600
-            type=sha,enable=true,priority=600,prefix=
+            type=sha,enable=true,priority=600,prefix=,format=long
+
       - name: Log into registry
         uses: docker/login-action@v3
         with:
@@ -49,6 +50,7 @@ jobs:
          echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV
 
       - name: Build and push ${{ github.repository }}
+        id: build_and_push
         if: ${{ env.IMAGE_EXISTS == 0 }}
         uses: docker/build-push-action@v5
         with:
@@ -60,6 +62,22 @@ jobs:
           tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
           labels: ${{ steps.docker_meta_img.outputs.labels }}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.6.0
+
+      - name: Sign image with a key
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
+        env:
+          TAGS: ${{ steps.docker_meta_img.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}
+
   branch_meta:
     runs-on: ubuntu-latest
     outputs:
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 3ed6680..c25b9c5 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -16,13 +16,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Docker meta Service Name for docker hub
-        id: docker_meta_img_hub
+        id: docker_meta_img
         uses: docker/metadata-action@v5
         with:
           images: docker.io/schulcloud/version-aggregator, quay.io/schulcloudverbund/version-aggregator
           tags: |
             type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}            
+            type=semver,pattern={{major}}.{{minor}}
 
       - name: Log into docker registry
         uses: docker/login-action@v3
@@ -38,6 +38,7 @@ jobs:
           password: ${{ secrets.QUAY_TOKEN }}
 
       - name: Build and push ${{ github.repository }}
+        id: build_and_push
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -45,5 +46,22 @@ jobs:
           platforms: linux/amd64
           push: true
           pull: true
-          tags: ${{ steps.docker_meta_img_hub.outputs.tags }}
-          labels: ${{ steps.docker_meta_img_hub.outputs.labels }}
+          tags: ${{ steps.docker_meta_img.outputs.tags }}
+          labels: ${{ steps.docker_meta_img.outputs.labels }}
+
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.6.0
+
+      - name: Sign image with a key
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
+        env:
+          TAGS: ${{ steps.docker_meta_img.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}