diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 1134234ded..d898a1a5d8 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -34,10 +34,12 @@ jobs:
 
       - name: docker images publish
         run: |
+          make docker-publish-sigs
           make docker-publish-initContainer
 
       - name: Sign image
         run: |
+          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
           KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
           echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
 
@@ -75,6 +77,7 @@ jobs:
 
       - name: Sign image
         run: |
+          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
           KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
           echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
 
@@ -112,5 +115,6 @@ jobs:
 
       - name: Sign image
         run: |
+          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
           KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
           echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_IMAGE_VERSION}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 89c3c13ee5..b9e875babc 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -51,10 +51,12 @@ jobs:
 
       - name :  docker images publish
         run: |
+          make docker-publish-sigs
           make docker-publish-initContainer
 
       - name: Sign image
         run: |
+          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
           echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION}
 
   release-kyverno:
@@ -116,13 +118,15 @@ jobs:
 
       - name :  docker images publish
         run: |
+          make docker-publish-sbom
           make docker-publish-kyverno
 
       - name: Sign image and SBOM
         run: |
+          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
           echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION}
-          cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/kyverno:latest
-          
+          cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
+
       - name: Trivy Scan Image
         uses: aquasecurity/trivy-action@master
         with: 
@@ -184,6 +188,7 @@ jobs:
 
       - name: Sign image
         run: |
+          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
           echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION}
   
   create-release:
diff --git a/Makefile b/Makefile
index 5d31c2aaa2..e0ca884294 100644
--- a/Makefile
+++ b/Makefile
@@ -40,6 +40,38 @@ KYVERNO_PATH:= cmd/kyverno
 build: kyverno
 PWD := $(CURDIR)
 
+##################################
+# SIGNATURE CONTAINER
+##################################
+ALPINE_PATH := cmd/alpineBase
+SIG_IMAGE := signatures
+.PHONY: docker-build-signature docker-push-signature
+
+docker-publish-sigs: docker-build-signature docker-push-signature
+
+docker-build-signature:
+	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
+
+docker-push-signature:
+	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
+	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):latest .
+
+##################################
+# SBOM CONTAINER
+##################################
+ALPINE_PATH := cmd/alpineBase
+SBOM_IMAGE := sbom
+.PHONY: docker-build-sbom docker-push-sbom
+
+docker-publish-sbom: docker-build-sbom docker-push-sbom
+
+docker-build-sbom:
+	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
+
+docker-push-signature:
+	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
+	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):latest .
+
 ##################################
 # INIT CONTAINER
 ##################################
diff --git a/cmd/alpineBase/Dockerfile b/cmd/alpineBase/Dockerfile
new file mode 100644
index 0000000000..2f179b98db
--- /dev/null
+++ b/cmd/alpineBase/Dockerfile
@@ -0,0 +1 @@
+FROM alpine:3.14
\ No newline at end of file