diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 446ac3ca82..0934dfc51c 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -1348,6 +1348,7 @@ jobs:
     permissions:
       contents: write
       discussions: write
+      id-token: write  # IMPORTANT: mandatory for Sigstore signing
 
     steps:
     - name: Download all the dists
@@ -1423,16 +1424,28 @@ jobs:
         }}' | tee -a release-notes.md
       shell: bash
 
+    - name: Sign the dists with Sigstore
+      uses: sigstore/gh-action-sigstore-python@v2.1.1
+      with:
+        inputs: >-
+          dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}
+          dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}
+
     - name: >-
         Publish a GitHub Release for
         ${{ needs.pre-setup.outputs.git-tag }}
+        with Sigstore-signed artifacts
       uses: ncipollo/release-action@v1
       with:
         allowUpdates: false
         artifactErrorsFailBuild: false
         artifacts: |
           dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}
+          dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}.crt
+          dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}.sig
           dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}
+          dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}.crt
+          dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}.sig
         artifactContentType: raw  # Because whl and tgz are of different types
         bodyFile: release-notes.md
         discussionCategory: Announcements