diff --git a/Makefile b/Makefile
index 7ef6c29cc33d514087f64f8f802a5f941231ecca..2230c265cb90856d14eff8372ac0b6b8bae6616a 100644
--- a/Makefile
+++ b/Makefile
@@ -46,6 +46,7 @@ endif
 KO_PREFIX ?= gcr.io/projectsigstore
 export KO_DOCKER_REPO=$(KO_PREFIX)
 REKOR_YAML ?= rekor-$(GIT_TAG).yaml
+GHCR_PREFIX ?= ghcr.io/sigstore/rekor
 
 # Binaries
 SWAGGER := $(TOOLS_BIN_DIR)/swagger
diff --git a/release/README.md b/release/README.md
index f6a57bcd2ba5ec764fe7936a1095465a9ca382d8..76ff1fc57a67840b9611ddbb01cb7040117bff16 100644
--- a/release/README.md
+++ b/release/README.md
@@ -31,7 +31,7 @@ $ git push origin ${RELEASE_TAG}
 
 ```shell
 $ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
-   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=rekor,_STORAGE_LOCATION=rekor-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
+   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=rekor,_STORAGE_LOCATION=rekor-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME>,_GITHUB_USER=<GITHUB_USER> \
    --project <GCP_PROJECT>
 ```
 
@@ -47,6 +47,7 @@ Where:
 - `_KEY_NAME` key name of your  cosign key.
 - `_KEY_VERSION` version of the key storaged in KMS. Default `1`.
 - `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`.
+- `_GITHUB_USER` GitHub user to authenticate for pushing to GHCR.
 
 4. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
 You now can review the release, make any changes if needed and then publish to make it an official release.
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
index 1402f98c618f33de73180cae41bd262e813a6332..2e099a522b16479cbe4f56467e8e5ce23fcd0023 100644
--- a/release/cloudbuild.yaml
+++ b/release/cloudbuild.yaml
@@ -86,6 +86,30 @@ steps:
       && make sign-container-release \
       && make sign-keyless-release
 
+- name: gcr.io/cloud-builders/docker
+  entrypoint: 'bash'
+  dir: "go/src/sigstore/fulcio"
+  env:
+  - "GOPATH=/workspace/go"
+  - "GOBIN=/workspace/bin"
+  - PROJECT_ID=${PROJECT_ID}
+  - KEY_LOCATION=${_KEY_LOCATION}
+  - KEY_RING=${_KEY_RING}
+  - KEY_NAME=${_KEY_NAME}
+  - KEY_VERSION=${_KEY_VERSION}
+  - GIT_TAG=${_GIT_TAG}
+  - KO_PREFIX=gcr.io/${PROJECT_ID}
+  - COSIGN_EXPERIMENTAL=true
+  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
+  - GITHUB_USER=${_GITHUB_USER}
+  secretEnv:
+  - GITHUB_TOKEN
+  args:
+    - '-c'
+    - |
+      echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
+      && make copy-signed-release-to-ghcr
+
 availableSecrets:
   secretManager:
   - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
@@ -117,3 +141,4 @@ substitutions:
   _KEY_NAME: 'honk-crypto'
   _KEY_VERSION: '1'
   _KEY_LOCATION: 'global'
+  _GITHUB_USER: 'placeholder'
diff --git a/release/release.mk b/release/release.mk
index 937afcc084b0f4954fd38ffc5df63779546e0796..201aaa706b1fa398707c3ab0eb6b95d22f383433 100644
--- a/release/release.mk
+++ b/release/release.mk
@@ -42,6 +42,21 @@ sign-keyless-rekor-cli-release:
 .PHONY: sign-keyless-release
 sign-keyless-release: sign-keyless-rekor-server-release sign-keyless-rekor-cli-release
 
+####################
+# copy image to GHCR
+####################
+
+.PHONY: copy-rekor-server-signed-release-to-ghcr
+copy-cosign-signed-release-to-ghcr:
+	cosign copy $(KO_PREFIX)/rekor-server:$(GIT_VERSION) $(GHCR_PREFIX)/rekor-server:$(GIT_VERSION)
+
+.PHONY: copy-rekor-cli-signed-release-to-ghcr
+copy-cosigned-signed-release-to-ghcr:
+	cosign copy $(KO_PREFIX)/rekor-cli:$(GIT_VERSION) $(GHCR_PREFIX)/rekor-cli:$(GIT_VERSION)
+
+.PHONY: copy-signed-release-to-ghcr
+copy-signed-release-to-ghcr: copy-rekor-server-signed-release-to-ghcr copy-rekor-cli-signed-release-to-ghcr
+
 ## --------------------------------------
 ## Dist / maybe we can deprecate
 ## --------------------------------------