diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000000000000000000000000000000000000..af46fc339838a08134508ab273917b61285fef6b
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,139 @@
+# v0.4.0
+
+## Highlights
+
+* Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (https://github.com/sigstore/rekor/pull/501)
+
+## Enhancements
+
+* Update the schema to match that of Trillian repo. The map specific (https://github.com/sigstore/rekor/pull/528)
+* allow setting the user-agent string sent from the client (https://github.com/sigstore/rekor/pull/521)
+* update key usage for ts cert (https://github.com/sigstore/rekor/pull/504)
+* api/index/retrieve: allow searching on indicies with sha1 hashes (https://github.com/sigstore/rekor/pull/499)
+* Only include Attestation data if attestation storage enabled (https://github.com/sigstore/rekor/pull/494)
+* Fuzzing RequestFromRekor API (https://github.com/sigstore/rekor/pull/488)
+* Included pprof for profiling the application. (https://github.com/sigstore/rekor/pull/485)
+* refactor release and add signing (https://github.com/sigstore/rekor/pull/483)
+* More verbose error message for redis connection failure (https://github.com/sigstore/rekor/pull/479) (https://github.com/sigstore/rekor/pull/480)
+* Fixed modtime for reproducible goreleaser (https://github.com/sigstore/rekor/pull/473)
+* add goreleaser and cloudbuild for releases (https://github.com/sigstore/rekor/pull/443)
+* Add dynamic JS tree size counter (https://github.com/sigstore/rekor/pull/468)
+* check that entry UUID == leafHash of returned entry (https://github.com/sigstore/rekor/pull/469)
+* chore: upgrade cosign version (https://github.com/sigstore/rekor/pull/465)
+* Reproducible builds with trimpath (https://github.com/sigstore/rekor/pull/464)
+* correct links, add Table of Contents of sorts (https://github.com/sigstore/rekor/pull/449)
+* update go tuf for rsa key impl (https://github.com/sigstore/rekor/pull/446)
+* Canonicalize JSON before inserting into trillian (https://github.com/sigstore/rekor/pull/445)
+* Export search UUIDs field (https://github.com/sigstore/rekor/pull/438)
+* Add a flag to start specifying log index ranges for virtual indices. (https://github.com/sigstore/rekor/pull/435)
+* Cleanup some initialization/flag parsing in rekor-server. (https://github.com/sigstore/rekor/pull/433)
+* Drop 404 errors down to a warning. (https://github.com/sigstore/rekor/pull/426)
+* Cleanup the output of search (the text goes to stderr not stdout). (https://github.com/sigstore/rekor/pull/421)
+* remove extradata field from types (https://github.com/sigstore/rekor/pull/418)
+* Update usage of ./cmd/rekor-cli/ from `rekor` to `rekor-cli` (https://github.com/sigstore/rekor/pull/417)
+* Add TUF type (https://github.com/sigstore/rekor/pull/383)
+* Updates to INSTALLATION.md notes (https://github.com/sigstore/rekor/pull/415)
+* Update snippets to use `console` type for snippets (https://github.com/sigstore/rekor/pull/410)
+* version: add way to display a version when using go get or go install (https://github.com/sigstore/rekor/pull/405)
+* Use an in memory timestamping key (https://github.com/sigstore/rekor/pull/402)
+* Links are case sensitive (https://github.com/sigstore/rekor/pull/401)
+* Installation guide (https://github.com/sigstore/rekor/pull/400)
+* Add a SignedTimestampNote (https://github.com/sigstore/rekor/pull/397)
+* Provide instructions on verifying releases (https://github.com/sigstore/rekor/pull/399)
+* rekor-server: add html page when humans reach the server via the browser (https://github.com/sigstore/rekor/pull/394)
+* use go modules to track tools (https://github.com/sigstore/rekor/pull/395)
+
+## Bug Fixes
+
+* fix timestamp addition and unmarshal (https://github.com/sigstore/rekor/pull/525)
+* Correct & parallelize tests (https://github.com/sigstore/rekor/pull/522)
+* Fix fuzz go.sum issue (https://github.com/sigstore/rekor/pull/509)
+* fix validation error (https://github.com/sigstore/rekor/pull/503)
+* Correct Helm index keys (https://github.com/sigstore/rekor/pull/474)
+* Fix a bug in x509 certificate handling. (https://github.com/sigstore/rekor/pull/461)
+* Fix a conflict from parallel dependabot merges. (https://github.com/sigstore/rekor/pull/456)
+* fix tuf metadata marshalling (https://github.com/sigstore/rekor/pull/447)
+* Switch DSSE provider to go-securesystemslib (https://github.com/sigstore/rekor/pull/442)
+* fix unmarshalling sth (https://github.com/sigstore/rekor/pull/409)
+* Fix port flag override (https://github.com/sigstore/rekor/pull/396)
+* makefile: small fix on the makefile for the rekor-server (https://github.com/sigstore/rekor/pull/393)
+
+## Dependencies Updates
+
+* Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (https://github.com/sigstore/rekor/pull/531)
+* Bump sigstore/cosign-installer from 1.3.1 to 1.4.1 (https://github.com/sigstore/rekor/pull/530)
+* Bump the DSSE signing library. (https://github.com/sigstore/rekor/pull/529)
+* Bump golang from 1.17.4 to 1.17.5 (https://github.com/sigstore/rekor/pull/527)
+* Bump golang from 1.17.3 to 1.17.4 (https://github.com/sigstore/rekor/pull/523)
+* Bump gopkg.in/ini.v1 from 1.66.0 to 1.66.2 (https://github.com/sigstore/rekor/pull/520)
+* Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 (https://github.com/sigstore/rekor/pull/517)
+* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/516)
+* Bump gopkg.in/ini.v1 from 1.64.0 to 1.66.0 (https://github.com/sigstore/rekor/pull/513)
+* Upgraded go-playground/validator module to v10 (https://github.com/sigstore/rekor/pull/507)
+* Bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (https://github.com/sigstore/rekor/pull/495)
+* Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (https://github.com/sigstore/rekor/pull/510)
+* Bump the trillian import to v1.4.0. (https://github.com/sigstore/rekor/pull/502)
+* Bump the trillian versions to v1.4.0 in our docker-compose setup. (https://github.com/sigstore/rekor/pull/500)
+* update go.mod for go-fuzz (https://github.com/sigstore/rekor/pull/496)
+* Bump sigstore/cosign-installer from 1.3.0 to 1.3.1 (https://github.com/sigstore/rekor/pull/491)
+* Bump golang from 1.17.2 to 1.17.3 (https://github.com/sigstore/rekor/pull/482)
+* Bump google.golang.org/grpc from 1.41.0 to 1.42.0 (https://github.com/sigstore/rekor/pull/478)
+* Bump actions/checkout from 2.3.5 to 2.4.0 (https://github.com/sigstore/rekor/pull/477)
+* Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 (https://github.com/sigstore/rekor/pull/470)
+* bump go-swagger to v0.28.0 (https://github.com/sigstore/rekor/pull/463)
+* Bump github.com/in-toto/in-toto-golang from 0.3.2 to 0.3.3 (https://github.com/sigstore/rekor/pull/459)
+* Bump actions/checkout from 2.3.4 to 2.3.5 (https://github.com/sigstore/rekor/pull/458)
+* Bump github.com/mediocregopher/radix/v4 from 4.0.0-beta.1 to 4.0.0 (https://github.com/sigstore/rekor/pull/460)
+* Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 (https://github.com/sigstore/rekor/pull/451)
+* Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 (https://github.com/sigstore/rekor/pull/454)
+* Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 (https://github.com/sigstore/rekor/pull/453)
+* Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 (https://github.com/sigstore/rekor/pull/452)
+* Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 (https://github.com/sigstore/rekor/pull/450)
+* Bump golang from 1.17.1 to 1.17.2 (https://github.com/sigstore/rekor/pull/448)
+* Bump google.golang.org/grpc from 1.40.0 to 1.41.0 (https://github.com/sigstore/rekor/pull/441)
+* Bump golang.org/x/mod from 0.5.0 to 0.5.1 (https://github.com/sigstore/rekor/pull/440)
+* Bump github.com/spf13/viper from 1.8.1 to 1.9.0 (https://github.com/sigstore/rekor/pull/439)
+* Bump gopkg.in/ini.v1 from 1.63.0 to 1.63.2 (https://github.com/sigstore/rekor/pull/437)
+* Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 (https://github.com/sigstore/rekor/pull/436)
+* Bump gocloud to v0.24.0. (https://github.com/sigstore/rekor/pull/434)
+* Bump golang from 1.17.0 to 1.17.1 (https://github.com/sigstore/rekor/pull/432)
+* Bump go.uber.org/zap from 1.19.0 to 1.19.1 (https://github.com/sigstore/rekor/pull/431)
+* Bump gopkg.in/ini.v1 from 1.62.0 to 1.63.0 (https://github.com/sigstore/rekor/pull/429)
+* Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 (https://github.com/sigstore/rekor/pull/425)
+* Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (https://github.com/sigstore/rekor/pull/423)
+* Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 (https://github.com/sigstore/rekor/pull/422)
+* Bump golang from 1.16.7 to 1.17.0 (https://github.com/sigstore/rekor/pull/413)
+* Bump golang.org/x/mod from 0.4.2 to 0.5.0 (https://github.com/sigstore/rekor/pull/412)
+* Bump google.golang.org/grpc from 1.39.1 to 1.40.0 (https://github.com/sigstore/rekor/pull/411)
+* Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (https://github.com/sigstore/rekor/pull/408)
+* Bump go.uber.org/zap from 1.18.1 to 1.19.0 (https://github.com/sigstore/rekor/pull/407)
+* Bump golang from 1.16.6 to 1.16.7 (https://github.com/sigstore/rekor/pull/403)
+* Bump google.golang.org/grpc from 1.39.0 to 1.39.1 (https://github.com/sigstore/rekor/pull/404)
+
+
+## Contributors
+
+* Aditya Sirish (@adityasaky)
+* Andrew Block (@sabre1041)
+* Asra Ali (@asraa)
+* Axel Simon (@axelsimon)
+* Batuhan ApaydÄ±n (@developer-guy)
+* Bob Callaway (@bobcallaway)
+* Carlos Panato (@cpanato)
+* Dan Lorenc (@dlorenc)
+* Dan Luhring (@luhring)
+* Harry Fallows (@harryfallows)
+* Hector Fernandez (@hectorj2f)
+* Jake Sanders (@dekkagaijin)
+* Jason Hall (@imjasonh)
+* Lily Sturmann (@lkatalin)
+* Luke Hinds (@lukehinds)
+* Marina Moore (@mnm678)
+* Mikhail Swift (@mikhailswift)
+* Naveen Srinivasan (@naveensrinivasan)
+* Robert James Hernandez (@sarcasticadmin)
+* Santiago Torres (@SantiagoTorres)
+* Tiziano Santoro (@tiziano88)
+* Trishank Karthik Kuppusamy (@trishankatdatadog)
+* Ville Aikas (@vaikas)
+* kpcyrd (@kpcyrd)