diff --git a/.github/workflows/vulndb.yaml b/.github/workflows/vulndb.yaml
index 39b766ca..d148b235 100644
--- a/.github/workflows/vulndb.yaml
+++ b/.github/workflows/vulndb.yaml
@@ -7,6 +7,8 @@ env:
   POSTGRES_USER: devguard
   POSTGRES_HOST: localhost
   POSTGRES_PASSWORD: not_reachable_from_the_internet
+  COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY }}
+  date: $(date +%s)
 
 jobs:
   build:
@@ -54,6 +56,17 @@ jobs:
 
     - name: Zip the CSV files
       run: zip vulndb.zip cve_affected_component.csv #cves.csv cpe_matches.csv cve_cpe_match.csv cwes.csv exploits.csv weaknesses.csv
+    
+    - name: Install Cosign 
+      uses: sigstore/cosign-installer@main
+
+    - name: Write signing key to disk
+      run: 'echo "$COSIGN_PASSWORD" > cosign.key'
+    
+    - name: Sign the database CSV files
+      run: cosign sign-blob -key cosign.key vulndb.zip
+
+
 
     - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
@@ -63,6 +76,10 @@ jobs:
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Setup oras cli
       uses: oras-project/setup-oras@v1
-    - name: Push the database dump to OCI
+    - name: Push the database ZIP file to GitHub Container Registry
+      run: |
+        oras push ghcr.io/l3montree-dev/devguard/vulndb:${{env.date}} vulndb.zip
+
+    -name: Push the sign file to GitHub Container Registry
       run: |
-        oras push ghcr.io/l3montree-dev/devguard/vulndb:$(date +%s) vulndb.zip
+        oras push ghcr.io/l3montree-dev/devguard/vulndb:${{env.date}} vulndb.zip.sig
\ No newline at end of file