diff --git a/.github/workflows/draft-release-automatic-trigger.yml b/.github/workflows/draft-release-automatic-trigger.yml
index c43d0eb5d..05f221add 100644
--- a/.github/workflows/draft-release-automatic-trigger.yml
+++ b/.github/workflows/draft-release-automatic-trigger.yml
@@ -16,6 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
     needs: call-workflow-build-artifacts-and-run-tests
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -29,6 +33,11 @@ jobs:
       - name: Package release assets
         run: scripts/package-release-assets.sh
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: "output_assets/ouch-*"
+
       - name: Create release
         uses: softprops/action-gh-release@v2
         with:
diff --git a/README.md b/README.md
index a86094174..b96925b8f 100644
--- a/README.md
+++ b/README.md
@@ -179,6 +179,12 @@ cargo install ouch
 
 Check the [releases page](https://github.com/ouch-org/ouch/releases).
 
+Release binaries are signed with [Sigstore](https://sigstore.dev) via GitHub's artifact attestations. Verify a downloaded binary with the GitHub CLI:
+
+```
+gh attestation verify ouch-x86_64-unknown-linux-musl --repo ouch-org/ouch
+```
+
 ## Compiling from source code
 
 Check the [wiki guide on compiling](https://github.com/ouch-org/ouch/wiki/Compiling-and-installing-from-source-code).