diff --git a/go.mod b/go.mod
index 20f1531d9..ebf75ffd3 100644
--- a/go.mod
+++ b/go.mod
@@ -28,7 +28,7 @@ require (
 	gopkg.in/go-playground/webhooks.v3 v3.13.0
 	gopkg.in/yaml.v2 v2.3.0
 	honnef.co/go/tools v0.0.1-2020.1.5 // indirect
-	knative.dev/hack v0.0.0-20221004153928-92a65f105c37
+	knative.dev/hack v0.0.0-20221010154335-3fdc50b9c24a
 )
 
 replace go.opencensus.io => go.opencensus.io v0.20.2
diff --git a/go.sum b/go.sum
index 3b1cc2f42..d367aa5de 100644
--- a/go.sum
+++ b/go.sum
@@ -538,8 +538,8 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k=
 honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-knative.dev/hack v0.0.0-20221004153928-92a65f105c37 h1:4xB0A2aWQtzUcFjpZf9ufxRsjt+E7tEL364VlPttI8s=
-knative.dev/hack v0.0.0-20221004153928-92a65f105c37/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
+knative.dev/hack v0.0.0-20221010154335-3fdc50b9c24a h1:yfq1OMrkyYkxDeM0pmAOeN4YF16R/WG0C+VvLBeq4uc=
+knative.dev/hack v0.0.0-20221010154335-3fdc50b9c24a/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/vendor/knative.dev/hack/release.sh b/vendor/knative.dev/hack/release.sh
index 8a424bf20..edce20063 100644
--- a/vendor/knative.dev/hack/release.sh
+++ b/vendor/knative.dev/hack/release.sh
@@ -314,7 +314,7 @@ function build_from_source() {
 
 # Build a release from source.
 function sign_release() {
-  if [ -z "${SIGN_IMAGES:-}" ]; then # Temporary Feature Gate
+  if (( ! IS_PROW )); then # This function can't be run by devs on their laptops
     return 0
   fi
 
@@ -331,26 +331,29 @@ function sign_release() {
     zip files.zip ${FILES}
     rcodesign notary-submit files.zip --api-key-path="${APPLE_NOTARY_API_KEY}" --wait
     sha256sum ${ARTIFACTS_TO_PUBLISH//checksums.txt/} > checksums.txt
+    echo "🧮     Post Notarization Checksum:"
+    cat checksums.txt
   fi
 
+  ID_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore \
+    --include-email \
+    --impersonate-service-account="${SIGNING_IDENTITY}")
+  echo "Signing Images with the identity ${SIGNING_IDENTITY}"
   ## Sign the images with cosign
-  ## For now, check if ko has created imagerefs.txt file. In the future, missing image refs will break
-  ## the release for all jobs that publish images.
   if [[ -f "imagerefs.txt" ]]; then
-      echo "Signing Images with the identity ${SIGNING_IDENTITY}"
-      COSIGN_EXPERIMENTAL=1 cosign sign $(cat imagerefs.txt) --recursive --identity-token="$(
-        gcloud auth print-identity-token --audiences=sigstore \
-        --include-email \
-        --impersonate-service-account="${SIGNING_IDENTITY}")"
+      COSIGN_EXPERIMENTAL=1 cosign sign $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}"
+      if  [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate
+        provenance-generator --clone-log=/logs/clone.json \
+          --image-refs=imagerefs.txt --output=attestation.json
+        COSIGN_EXPERIMENTAL=1 cosign attest $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}" \
+          --predicate=attestation.json --type=slsaprovenance
+      fi
   fi
 
   ## Check if there is checksums.txt file. If so, sign the checksum file
   if [[ -f "checksums.txt" ]]; then
       echo "Signing Images with the identity ${SIGNING_IDENTITY}"
-      COSIGN_EXPERIMENTAL=1 cosign sign-blob checksums.txt --output-signature=checksums.txt.sig --output-certificate=checksums.txt.pem --identity-token="$(
-        gcloud auth print-identity-token --audiences=sigstore \
-        --include-email \
-        --impersonate-service-account="${SIGNING_IDENTITY}")"
+      COSIGN_EXPERIMENTAL=1 cosign sign-blob checksums.txt --output-signature=checksums.txt.sig --output-certificate=checksums.txt.pem --identity-token="${ID_TOKEN}"
       ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} checksums.txt.sig checksums.txt.pem"
   fi
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 87f96c368..db4dbd558 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -286,7 +286,7 @@ gopkg.in/go-playground/webhooks.v3/github
 gopkg.in/yaml.v2
 # honnef.co/go/tools v0.0.1-2020.1.5
 ## explicit
-# knative.dev/hack v0.0.0-20221004153928-92a65f105c37
+# knative.dev/hack v0.0.0-20221010154335-3fdc50b9c24a
 ## explicit
 knative.dev/hack
 # go.opencensus.io => go.opencensus.io v0.20.2