diff --git a/blog/docs/releases/announcing-knative-v1-9-release.md b/blog/docs/releases/announcing-knative-v1-9-release.md
index d5b5bed5c..3d4f60a54 100644
--- a/blog/docs/releases/announcing-knative-v1-9-release.md
+++ b/blog/docs/releases/announcing-knative-v1-9-release.md
@@ -35,7 +35,8 @@ This release brings a number of smaller improvements to the core Knative Serving
   - `allowPrivilegeEscalation` (empty means `true`)
   - `seccompProfile.type` (empty string means `Unconfined`)
   - `capabilities.drop` (default maintains privileges, use `ALL` to drop unneeded linux capabilities) (#13399, @evankanderson)
- 
+- All Serving container images are signed with cosign (@upodroid).
+
 ## 💫 New Features & Changes
 
 - Net-contour respects the `internal-encryption` Knative configuration, and encrypts traffic from Contour controlled Envoy to Activator. Requires Contour 1.24.0 or greater (#819, @KauzClay)
@@ -68,6 +69,7 @@ This release brings a number of smaller improvements to the core Knative Serving
 ## 💫 New Features & Changes
 
 - 📄 ApiServerSource can specify a selector to target one or more namespaces. If the selector is missing, it will default to targeting the namespace in which the source resides (#6665, @gab-satchi)
+- All Eventing container images are signed with cosign (@upodroid).
 
 ## Bug fixes
 
@@ -81,6 +83,8 @@ This release brings a number of smaller improvements to the core Knative Serving
 ### 💫 New Features & Changes
 
 * `quickstart` plugin will now create a local registry. (#376, @ehudyonasi)
+* All Client container images are signed with cosign (@upodroid).
+
 
 ### Small improvements
 
@@ -118,6 +122,7 @@ This release brings a number of smaller improvements to the core Knative Serving
 [Release Notes](https://github.com/knative/operator/releases/tag/knative-v1.9.0)
 
 - Security-Guard version 0.4 can now be installed using the Knative Operator. This new release of Security-Guard also includes TLS+Token support to secure internal communications between Security-Guard components (#1301, @houshengbo)
+- All Operator container images are signed with cosign (@upodroid).
 
 
 ## Thank you, contributors
diff --git a/docs/client/install-kn.md b/docs/client/install-kn.md
index f9557c605..47b38b74c 100644
--- a/docs/client/install-kn.md
+++ b/docs/client/install-kn.md
@@ -2,6 +2,7 @@
 
 This guide provides details about how you can install the Knative `kn` CLI.
 
+--8<-- "security-prereqs-binaries.md"
 --8<-- "install-kn.md"
 
 ## Install kn using the nightly-built binary
diff --git a/docs/install/operator/knative-with-operator-cli.md b/docs/install/operator/knative-with-operator-cli.md
index d9cbe35a8..dbaa891ae 100644
--- a/docs/install/operator/knative-with-operator-cli.md
+++ b/docs/install/operator/knative-with-operator-cli.md
@@ -5,6 +5,7 @@ you with a parameter-driven way to configure the Knative cluster, without intera
 resources.
 
 --8<-- "prerequisites.md"
+--8<-- "security-prereqs-binaries.md"
 
 ## Install the Knative Operator CLI Plugin
 
diff --git a/docs/install/operator/knative-with-operators.md b/docs/install/operator/knative-with-operators.md
index c582585cf..33305423c 100644
--- a/docs/install/operator/knative-with-operators.md
+++ b/docs/install/operator/knative-with-operators.md
@@ -10,6 +10,7 @@ The following table describes the supported versions of Serving and Eventing for
 | v1.9     | v1.9.0<br/>v1.8.0, v1.8.1, v1.8.2 and v1.8.3<br/>v1.7.0, v1.7.1, v1.7.2, v1.7.3 and v1.7.4<br/>v1.6.0, v1.6.1, v1.6.2 and v1.6.3 | v1.9.0<br/>v1.8.0, v1.8.1, v1.8.2, v1.8.3, v1.8.4 and v1.8.5<br/>v1.7.0, v1.7.1, v1.7.2, v1.7.3, v1.7.4, v1.7.5, v1.7.6 and v1.7.7<br/>v1.6.0, v1.6.1, v1.6.2 and v1.6.3 |
 
 --8<-- "prerequisites.md"
+--8<-- "security-prereqs-images.md"
 
 ## Install the Knative Operator
 
diff --git a/docs/install/yaml-install/eventing/install-eventing-with-yaml.md b/docs/install/yaml-install/eventing/install-eventing-with-yaml.md
index 6de01551d..3520ef627 100644
--- a/docs/install/yaml-install/eventing/install-eventing-with-yaml.md
+++ b/docs/install/yaml-install/eventing/install-eventing-with-yaml.md
@@ -3,6 +3,7 @@
 This topic describes how to install Knative Eventing by applying YAML files using the `kubectl` CLI.
 
 --8<-- "prerequisites.md"
+--8<-- "security-prereqs-images.md"
 
 ## Install Knative Eventing
 
diff --git a/docs/install/yaml-install/serving/install-serving-with-yaml.md b/docs/install/yaml-install/serving/install-serving-with-yaml.md
index 90c85d1e2..1a1eb05a3 100644
--- a/docs/install/yaml-install/serving/install-serving-with-yaml.md
+++ b/docs/install/yaml-install/serving/install-serving-with-yaml.md
@@ -3,6 +3,7 @@
 This topic describes how to install Knative Serving by applying YAML files using the `kubectl` CLI.
 
 --8<-- "prerequisites.md"
+--8<-- "security-prereqs-images.md"
 
 ## Install the Knative Serving component
 
diff --git a/docs/reference/security/README.md b/docs/reference/security/README.md
index 4858b93f5..e951093e3 100644
--- a/docs/reference/security/README.md
+++ b/docs/reference/security/README.md
@@ -6,6 +6,57 @@ This page describes Knative security and disclosure information.
 
 * [Threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md)
 
+## Code Signature Verification
+
+### All platforms
+
+Our releases from 1.9 are signed with [cosign](https://docs.sigstore.dev/cosign/overview). You can use the following steps to verify our binaries.
+
+1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the releases page:
+    ```sh
+    # this example verifies the 1.9.0 kn cli from the knative/client repository
+    wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt
+    wget https://github.com/knative/client/releases/download/knative-v1.9.0/kn-darwin-amd64
+    wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt.sig
+    wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt.pem
+    ```
+1. Verify the signature:
+    ```sh
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+    --cert checksums.txt.pem \
+    --signature checksums.txt.sig \
+    checksums.txt
+    ```
+1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
+    ```sh
+    sha256sum --ignore-missing -c checksums.txt
+    ```
+
+!!! note
+    `COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
+    in `KEYLESS` mode. To learn more about keyless signing, please refer to
+    [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
+    Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
+
+### Apple macOS
+
+In addition to signing our binaries with `cosign`, we [notarize](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) our macOS binaries. You can use the `codesign` utility to verify our binaries from 1.9 release. You should expect an output that looks
+like this. The expected TeamIdentifier is `7R64489VHL`
+
+```
+codesign --verify -d --verbose=2 ~/Downloads/kn-quickstart-darwin-amd64
+
+Executable=/Users/REDACTED/Downloads/kn-quickstart-darwin-amd64
+Identifier=kn-quickstart-darwin-amd64
+...
+Authority=Developer ID Application: Mahamed Ali (7R64489VHL)
+Authority=Developer ID Certification Authority
+Authority=Apple Root CA
+Timestamp=3 Oct 2022 at 22:50:07
+...
+TeamIdentifier=7R64489VHL
+```
+
 ## Report a vulnerability
 
 We're extremely grateful for security researchers and users that report vulnerabilities to the Knative Open Source Community. All reports are thoroughly investigated by a set of community volunteers.
diff --git a/docs/snippets/security-prereqs-binaries.md b/docs/snippets/security-prereqs-binaries.md
new file mode 100644
index 000000000..594946ad2
--- /dev/null
+++ b/docs/snippets/security-prereqs-binaries.md
@@ -0,0 +1,32 @@
+## Verifying CLI binaries
+
+Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/cosign/overview). You can use the following steps to verify the CLI binaries:
+
+1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem`, and `checksums.txt.sig` files from the releases page, by running the commands:
+
+    ```sh
+    wget https://github.com/knative/client/releases/download/<kn-version>/checksums.txt
+    wget https://github.com/knative/client/releases/download/<kn-version>/kn-darwin-amd64
+    wget https://github.com/knative/client/releases/download/<kn-version>/checksums.txt.sig
+    wget https://github.com/knative/client/releases/download/<kn-version>/checksums.txt.pem
+    ```
+
+    Where `<kn-version>` is the version of the CLI that you want to verify. For example, `knative-v1.8.0`.
+
+1. Verify the signature by running the command:
+
+    ```sh
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+    --cert checksums.txt.pem \
+    --signature checksums.txt.sig \
+    checksums.txt
+    ```
+
+1. If the signature is valid, you can then verify the `SHA256` sums match the downloaded binary, by running the command:
+
+    ```sh
+    sha256sum --ignore-missing -c checksums.txt
+    ```
+
+!!! note
+    `COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-nightly.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`.
diff --git a/docs/snippets/security-prereqs-images.md b/docs/snippets/security-prereqs-images.md
new file mode 100644
index 000000000..e94dd8261
--- /dev/null
+++ b/docs/snippets/security-prereqs-images.md
@@ -0,0 +1,25 @@
+## Verifying image signatures
+
+Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/cosign/overview).
+
+1. Install [cosign](https://docs.sigstore.dev/cosign/installation/) and [jq](https://stedolan.github.io/jq/).
+
+1. Extract the images from a manifeset and verify the signatures.
+
+```
+# download the yaml file, this example uses the serving manifest
+curl -fsSLO https://github.com/knative/serving/releases/download/knative-v1.9.0/serving-core.yaml
+cat serving-core.yaml | grep 'gcr.io/' | awk '{print $2}' > images.txt
+input=images.txt
+while IFS= read -r image
+do
+  COSIGN_EXPERIMENTAL=1 cosign verify -o text "$image" | jq
+done < "$input"
+
+```
+
+!!! note
+    `COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
+    in `KEYLESS` mode. To learn more about keyless signing, please refer to
+    [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
+    Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`