diff --git a/.github/workflows/publish-dev-images.yml b/.github/workflows/publish-dev-images.yml
index 40ba41e..83de21a 100644
--- a/.github/workflows/publish-dev-images.yml
+++ b/.github/workflows/publish-dev-images.yml
@@ -21,6 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
 
     steps:
       - name: Checkout
@@ -66,10 +67,16 @@ jobs:
           BAKE_META: ${{ steps.bake.outputs.metadata }}
         run: |
           readarray -t image_refs < <(
-            jq <<<"${BAKE_META:?}" '
+            jq <<<"${BAKE_META:?}" -r '
               .[]
               | select(.["image.name"]? and .["containerimage.digest"]?)
-              | "\(.["image.name"])@\(.["containerimage.digest"])"
+              | (.["containerimage.digest"]) as $containerimage_digest
+              | (.["image.name"] | split(",")) as $image_names
+              | $image_names[] | "\(.)@\($containerimage_digest)"
             '
           )
-          cosign sign --yes ${image_refs:?}
+
+          echo "Images to sign:"
+          printf ' - %s\n' "${image_refs[@]}"
+
+          cosign sign --yes ${image_refs[@]:?}