diff --git a/projects/sigstore.dev/cosign/package.yml b/projects/sigstore.dev/cosign/package.yml
new file mode 100644
index 00000000..5b553d65
--- /dev/null
+++ b/projects/sigstore.dev/cosign/package.yml
@@ -0,0 +1,35 @@
+distributable:
+  url: https://github.com/sigstore/cosign/archive/refs/tags/v{{version}}.tar.gz
+  strip-components: 1
+
+versions:
+  github: sigstore/cosign
+
+provides:
+  - bin/cosign
+
+build:
+  dependencies:
+    go.dev: ^1.20
+  script: |
+    go mod download
+    mkdir -p "{{ prefix }}"/bin
+    go build -v -trimpath -ldflags="$LDFLAGS" -o $BUILDLOC ./cmd/cosign
+  env:
+    GOPROXY: https://proxy.golang.org,direct
+    GOSUMDB: sum.golang.org
+    GO111MODULE: on
+    CGO_ENABLED: 0
+    BUILDLOC: '{{prefix}}/bin/cosign'
+    LDFLAGS:
+      - -s
+      - -w
+      - -X sigs.k8s.io/release-utils/version.gitVersion={{version}}
+    linux:
+      # or segmentation fault
+      # fix found here https://github.com/docker-library/golang/issues/402#issuecomment-982204575
+      LDFLAGS:
+      - -buildmode=pie
+
+test:
+  cosign version | grep {{version}}