diff --git a/roles/community_images/defaults/main.yml b/roles/community_images/defaults/main.yml
index 75c05950e..25591bcf8 100644
--- a/roles/community_images/defaults/main.yml
+++ b/roles/community_images/defaults/main.yml
@@ -63,6 +63,7 @@ community_images_azimuth_images: |-
     "{{ dest_key }}": {
       "name": "{{ image.name }}",
       "source_url": "{{ image.url }}",
+      "bundle_url": "{{ image.get('cosign-bundle-url') }}",
       "checksum": "{{ image.checksum }}",
       "source_disk_format": "qcow2",
       "container_format": "bare",
diff --git a/roles/community_images/tasks/main.yml b/roles/community_images/tasks/main.yml
index 4d5811bb7..5844c0864 100644
--- a/roles/community_images/tasks/main.yml
+++ b/roles/community_images/tasks/main.yml
@@ -13,6 +13,14 @@
       pip:
         name: python-openstackclient
         executable: pip3
+
+    - name: Install cosign
+      shell: |
+        curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+        mv cosign-linux-amd64 /usr/local/bin/cosign
+        chmod +x /usr/local/bin/cosign
+      args:
+        creates: "/usr/local/bin/cosign"
   become: yes
 
 - name: Ensure OpenStack config directory exists
diff --git a/roles/community_images/tasks/upload_image.yml b/roles/community_images/tasks/upload_image.yml
index e64c51adb..caeca99e5 100644
--- a/roles/community_images/tasks/upload_image.yml
+++ b/roles/community_images/tasks/upload_image.yml
@@ -51,6 +51,8 @@
       set_fact:
         community_images_image_download_path: >-
           {{ (community_images_workdir, community_images_image_spec.name + '.download') | path_join }}
+        community_images_image_bundle_path: >-
+          {{ (community_images_workdir, community_images_image_spec.name + '.bundle') | path_join }}
         community_images_image_decompress_path: >-
           {{ (community_images_workdir, community_images_image_spec.name + '.decompress') | path_join }}
         community_images_image_convert_path: >-
@@ -83,6 +85,21 @@
         checksum: "{{ community_images_image_spec.checksum | default(omit) }}"
         timeout: 600
 
+    - name: "Download signature bundle - {{ community_images_image_spec.name }}"
+      get_url:
+        url: "{{ community_images_image_spec.bundle_url }}"
+        dest: "{{ community_images_image_bundle_path }}"
+        timeout: 600
+      when: community_images_image_spec.bundle_url
+
+    - name: "Validate signature - {{ community_images_image_spec.name }}"
+      shell: |
+        cosign verify-blob {{ community_images_image_download_path }} \
+          --bundle {{ community_images_image_bundle_path }} \
+          --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+          --certificate-identity-regexp="https://github.com/stackhpc/azimuth-images/.github/.*"
+      when: community_images_image_spec.bundle_url
+
     - name: "Uncompress image (bzip2) - {{ community_images_image_spec.name }}"
       shell: "bunzip2 -dc {{ community_images_image_download_path }} > {{ community_images_image_decompress_path }}"
       args: