diff --git a/.github/actions/copy-images/action.yml b/.github/actions/copy-images/action.yml
index ebdb08cc..0ba7a77f 100644
--- a/.github/actions/copy-images/action.yml
+++ b/.github/actions/copy-images/action.yml
@@ -54,7 +54,7 @@ runs:
         done
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
     - name: Sign images
       shell: bash
diff --git a/.github/workflows/bake_targets.yml b/.github/workflows/bake_targets.yml
index 9262ec83..d56dc8d7 100644
--- a/.github/workflows/bake_targets.yml
+++ b/.github/workflows/bake_targets.yml
@@ -123,7 +123,7 @@ jobs:
 
       # Even if we're testing we sign the images, so we can push them to production later if that's required
       - name: Install cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
         # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
         # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
         # how to use cosign.
diff --git a/.github/workflows/catalogs.yml b/.github/workflows/catalogs.yml
index 39ce2e11..bec2e7bb 100644
--- a/.github/workflows/catalogs.yml
+++ b/.github/workflows/catalogs.yml
@@ -52,7 +52,7 @@ jobs:
           yq -i '.metadata.name = "postgresql"' postgres-containers/Debian/ClusterImageCatalog-bookworm.yaml
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Sign catalogs
         run: |