diff --git a/Makefile b/Makefile
index 317a08cc74..42aaa3425d 100644
--- a/Makefile
+++ b/Makefile
@@ -927,3 +927,16 @@ kube-apiserver-healthcheck-manifest:
 	docker manifest create --amend ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG} ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}-amd64
 	docker manifest create --amend ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG} ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}-arm64
 	docker manifest push --purge ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}
+
+#------------------------------------------------------
+# CloudBuild artifacts
+#
+# We hash some artifacts, so that we have can know that they were not modified after being built.
+
+.PHONY: cloudbuild-artifacts
+cloudbuild-artifacts:
+	mkdir -p ${KOPS_ROOT}/cloudbuild/
+	cd ${BAZELUPLOAD}/kops/; find . -type f | sort | xargs sha256sum > ${KOPS_ROOT}/cloudbuild/files.sha256
+	cd ${KOPS_ROOT}/bazel-bin/; find . -name '*.digest' -type f | sort | xargs grep . > ${KOPS_ROOT}/cloudbuild/image-digests
+	# ${BUILDER_OUTPUT}/output is a special cloudbuild target; the first 4KB is captured securely
+	cd ${KOPS_ROOT}/cloudbuild/; find -type f | sort | xargs sha256sum > ${BUILDER_OUTPUT}/output
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 6d8f1595a3..75f6855e03 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -49,6 +49,21 @@ steps:
   - kops-controller-manifest
   - dns-controller-manifest
   - kube-apiserver-healthcheck-manifest
+# Build cloudbuild artifacts (for attestation)
+- name: 'gcr.io/k8s-testimages/kubekins-e2e:v20210113-cc576af-experimental'
+  id: cloudbuild-artifacts
+  entrypoint: make
+  env:
+  # _GIT_TAG is not a valid semver, we use CI=1 instead
+  # - VERSION=$_GIT_TAG
+  - CI=$_CI
+  - PULL_BASE_REF=$_PULL_BASE_REF
+  - DOCKER_REGISTRY=$_DOCKER_REGISTRY
+  - DOCKER_IMAGE_PREFIX=$_DOCKER_IMAGE_PREFIX
+  - GCS_LOCATION=$_GCS_LOCATION
+  - LATEST_FILE=markers/${_PULL_BASE_REF}/latest-ci.txt
+  args:
+  - cloudbuild-artifacts
 substitutions:
   # _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and
   # can be used as a substitution
@@ -58,3 +73,7 @@ substitutions:
   _DOCKER_REGISTRY: 'gcr.io'
   _DOCKER_IMAGE_PREFIX: 'k8s-staging-kops/'
   _GCS_LOCATION: 'gs://k8s-staging-kops/kops/releases/'
+artifacts:
+  objects:
+    location: '$_GCS_LOCATION/$_GIT_TAG/cloudbuild/'
+    paths: ["cloudbuild/*"]
\ No newline at end of file