diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aee0a6b..ad10cda 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -198,6 +198,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     permissions:
       contents: write
+      id-token: write   # required for keyless cosign signing via OIDC
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -209,8 +210,14 @@ jobs:
           pattern: step-ca_*
           merge-multiple: true
 
-      - name: List artifacts
-        run: ls -la dist/
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign binaries
+        run: |
+          for bin in dist/step-ca_*; do
+            cosign sign-blob --yes --bundle="${bin}.bundle" "$bin"
+          done
 
       - name: Get version
         id: version
diff --git a/docs/content/user.md b/docs/content/user.md
index d1d6f40..348ed9c 100644
--- a/docs/content/user.md
+++ b/docs/content/user.md
@@ -621,6 +621,8 @@ kind: Gateway
 metadata:
   name: my-gateway
   namespace: infra
+  annotations:
+    cert-manager.io/cluster-issuer: acme-proxy
 spec:
   gatewayClassName: nginx
   listeners: