diff --git a/pkgs/tools/security/cosign/default.nix b/pkgs/tools/security/cosign/default.nix
new file mode 100644
index 000000000000..a49123aded27
--- /dev/null
+++ b/pkgs/tools/security/cosign/default.nix
@@ -0,0 +1,25 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "cosign";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "sigstore";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0rgq29vi0h378j0bqs53gjgp246rqxfpk6rwskzrmawgry0zr8pk";
+  };
+
+  vendorSha256 = "0pcp3wdvwq06ajdfbgadyq0ipfj65n276hj88p5v6wqfn821ahd6";
+
+  subPackages = [ "cmd/cosign" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/sigstore/cosign";
+    changelog = "https://github.com/sigstore/cosign/releases/tag/v${version}";
+    description = "Container Signing CLI with support for ephemeral keys and Sigstore signing";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ lesuisse ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 4612a89430b0..d735706b08ce 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1237,6 +1237,8 @@ in
 
   corsmisc = callPackage ../tools/security/corsmisc { };
 
+  cosign = callPackage ../tools/security/cosign { };
+
   cozy = callPackage ../applications/audio/cozy-audiobooks { };
 
   cpuid = callPackage ../os-specific/linux/cpuid { };