diff --git a/images/mirror/Earthfile b/images/mirror/Earthfile
index a5f71671be072c4ef6705b87c722ef8b584abb42..9feab9cbc113e4faccbe0b7f914cbaa6baae7c02 100644
--- a/images/mirror/Earthfile
+++ b/images/mirror/Earthfile
@@ -24,3 +24,14 @@ trivy:
 fedora:
     DO +MIRROR --image=quay.io/fedora/fedora:38@sha256:1972716109b1c906120061063bd4cb50a46c2138d95002ccb90126928d98e013
 
+cosign:
+    DO +MIRROR --image=gcr.io/projectsigstore/cosign:v2.2.0
+    SAVE ARTIFACT /ko-app/cosign ./cosign
+
+# verify-distroless allows to use cosign to verify all mirrored distroless images against Google's build identity
+verify-distroless:
+    FROM +fedora
+    COPY +cosign/cosign /usr/local/bin/cosign
+    COPY ./Earthfile ./
+    RUN cat ./Earthfile | grep 'DO +MIRROR --image=gcr.io/distroless/' | grep -Po 'gcr.io/distroless/[a-z0-9-.@/:]+' | xargs /usr/local/bin/cosign verify --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com
+