diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b030562..f6a0ddb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -94,21 +94,33 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           extra-args: |
             --disable-content-trust
+
       # Sign container
       - uses: sigstore/cosign-installer@main
+
+      # Only needed when running `cosign sign` using a key
+      - name: Write signing key to disk
+        run: |
+          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
+          # DEBUG: get character count of key
+          wc -c cosign.key
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Sign container image
         run: |
-          cosign sign ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
+          cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
         env:
           TAGS: ${{ steps.push.outputs.digest }}
-          COSIGN_PRIVATE_KEY: ${{secrets.SIGNING_SECRET}}
           COSIGN_EXPERIMENTAL: false
+
       - name: Echo outputs
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"