diff --git a/.github/workflows/build-push-image.yml b/.github/workflows/build-push-image.yml
index af48634..030f69d 100644
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@@ -29,6 +29,10 @@ on:
     secrets:
       registry_token:
         required: true
+    outputs:
+      image_uri:
+        description: "The published container image location, with the tag and checksum"
+        value: ${{ jobs.merge.outputs.image_uri }}
 
 jobs:
   lint:
@@ -152,6 +156,7 @@ jobs:
       debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
       image: ${{ needs.build.outputs.image }}
+      image_uri: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.build.outputs.tag }}@${{ steps.image.outputs.digest_root }}"
       tag: ${{ needs.build.outputs.tag }}
       digest_root: ${{ steps.image.outputs.digest_root }}
       digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
@@ -295,6 +300,6 @@ jobs:
 
       - name: Sign container
         run: |-
-          export IMAGE_URI="${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@${{ needs.merge.outputs.digest_root }}"
-          cosign sign -d --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
+          export IMAGE_URI="${{ needs.merge.image_uri }}"
+          cosign sign --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
         shell: bash
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a862710..d2f8eac 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -205,13 +205,18 @@ jobs:
         id: date
         run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
 
-      - name: Restore container cache
-        uses: actions/cache/restore@v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
         with:
-          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-          path: share/container.tar
-          fail-on-cache-miss: true
+          cosign-release: 'v2.5.0'
 
+      - name: Get the container image from the registry
+        run: |-
+          cosign save ${{ needs.build-container-image.outputs.image_uri }} --dir tmp
+          cd tmp
+          tar -cvf ../share/container.tar
+          cd ..
+      
       - name: Build Dangerzone .deb
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \