diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 858a8ce..ffcf31c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,7 +53,15 @@ jobs:
         # pinned: tag v3.7.0
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6
         with:
-          cosign-release: 'v2.4.1'
+          # v2.6.3 (latest v2 line). The v0.3.0 release run failed BEFORE
+          # goreleaser even started: goreleaser-action verifies its own
+          # download against checksums.txt.sigstore.json, and cosign v2.4.1
+          # cannot read the new-style protobuf sigstore bundle goreleaser
+          # v2.16.0 ships ("bundle does not contain cert for verification").
+          # Staying on the v2 line keeps our signs: invocation
+          # (sign-blob --output-signature/--output-certificate --yes)
+          # contract-identical.
+          cosign-release: 'v2.6.3'
 
       - name: Install syft (SBOM)
         # pinned: tag v0.20.0