diff --git a/Dockerfile b/Dockerfile
index 31f75b47146..d3897e80fc7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -36,6 +36,8 @@ ARG FUSE_OVERLAYFS_VERSION=v1.8
 ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v1.0.4
 # Extra deps: IPFS
 ARG IPFS_VERSION=v0.11.0
+# Extra deps: Cosign
+ARG COSIGN_VERSION=v1.4.1
 
 # Test deps
 ARG GO_VERSION=1.17
@@ -183,7 +185,15 @@ RUN fname="go-ipfs_${IPFS_VERSION}_${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.g
   tmpout=$(mktemp -d) && \
   tar -C ${tmpout} -xzf "${fname}" go-ipfs/ipfs && \
   mv ${tmpout}/go-ipfs/ipfs /out/bin/ && \
-  echo "- IPFS: ${IPFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+  echo "- IPFS: ${IPFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md \
+ARG COSIGN_VERSION
+RUN fname="cosign-${TARGETOS:-linux}-${TARGETARCH:-amd64}" && \
+  curl -o "${fname}" -fSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/cosign-${COSIGN_VERSION}" | sha256sum -c && \
+  chmod +x $fname && \
+  mv $fname cosign && \
+  mv cosign /out/bin/ && \
+  echo "- cosign: ${COSIGN_VERSION}" >> /out/share/doc/nerdctl-full/README.md \
 
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
@@ -239,8 +249,6 @@ COPY . /go/src/github.com/containerd/nerdctl
 WORKDIR /go/src/github.com/containerd/nerdctl
 VOLUME /tmp
 ENV CGO_ENABLED=0
-# copy cosign binary for integration test
-COPY --from=gcr.io/projectsigstore/cosign:v1.3.1@sha256:3cd9b3a866579dc2e0cf2fdea547f4c9a27139276cc373165c26842bc594b8bd /ko-app/cosign /usr/local/bin/cosign
 # enable offline ipfs for integration test
 COPY ./Dockerfile.d/test-integration-etc_containerd-stargz-grpc_config.toml /etc/containerd-stargz-grpc/config.toml
 COPY ./Dockerfile.d/test-integration-ipfs-offline.service /usr/local/lib/systemd/system/
diff --git a/Dockerfile.d/SHA256SUMS.d/cosign-v1.4.1 b/Dockerfile.d/SHA256SUMS.d/cosign-v1.4.1
new file mode 100644
index 00000000000..87387b69cda
--- /dev/null
+++ b/Dockerfile.d/SHA256SUMS.d/cosign-v1.4.1
@@ -0,0 +1,2 @@
+08ba779a4e6ff827079abed1a6d1f0a0d9e48aea21f520ddeb42ff912f59d268  cosign-linux-amd64
+b0c02b607e722b9d2b1807f6efb73042762e77391c51c8948710e7f571ceaa73  cosign-linux-arm64