diff --git a/run_release.py b/run_release.py
index c811aab2..43bdd6b8 100755
--- a/run_release.py
+++ b/run_release.py
@@ -316,6 +316,23 @@ def check_ssh_connection(db: ReleaseShelf) -> None:
     client.exec_command("pwd")
 
 
+def check_sigstore_client(db: ReleaseShelf) -> None:
+    client = paramiko.SSHClient()
+    client.load_system_host_keys()
+    client.set_missing_host_key_policy(paramiko.WarningPolicy)
+    client.connect(DOWNLOADS_SERVER, port=22, username=db["ssh_user"])
+    _, stdout, _ = client.exec_command("python3 -m sigstore --version")
+    sigstore_version = stdout.read(1000).decode()
+    sigstore_vermatch = re.match("^sigstore ([0-9.]+)", sigstore_version)
+    if not sigstore_vermatch or tuple(
+        int(part) for part in sigstore_vermatch.group(1).split(".")
+    ) < (3, 5):
+        raise ReleaseException(
+            f"Sigstore version not detected or not valid. "
+            f"Expecting 3.5.x or later: {sigstore_version}"
+        )
+
+
 def check_buildbots(db: ReleaseShelf) -> None:
     async def _check() -> set[Builder]:
         async def _get_builder_status(
@@ -1250,6 +1267,7 @@ def _api_key(api_key: str) -> str:
             check_ssh_connection,
             f"Validating ssh connection to {DOWNLOADS_SERVER} and {DOCS_SERVER}",
         ),
+        Task(check_sigstore_client, "Checking Sigstore CLI"),
         Task(check_buildbots, "Check buildbots are good"),
         Task(check_cpython_repo_is_clean, "Checking Git repository is clean"),
         Task(check_magic_number, "Checking the magic number is up-to-date"),