diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
index 0b6d186d..448a52da 100644
--- a/.github/workflows/integration.yaml
+++ b/.github/workflows/integration.yaml
@@ -129,6 +129,9 @@ jobs:
         username: ${{ secrets.R_METALSTACK_IO_READ_USER }}
         password: ${{ secrets.R_METALSTACK_IO_READ_PASSWORD }}
 
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v4.1.2
+
     - name: Checkout
       uses: actions/checkout@v4
 
diff --git a/Makefile b/Makefile
index 9b9bc51f..1939aa3a 100644
--- a/Makefile
+++ b/Makefile
@@ -74,7 +74,7 @@ COMPOSE_ARGS += $(if $(MINI_LAB_HELM_CHARTS),-f compose.dev/helm-charts.yaml)
 endif
 
 .PHONY: up
-up: env gen-certs control-plane-bake partition-bake
+up: env gen-certs verify-deployment-image control-plane-bake partition-bake
 	@chmod 600 files/ssh/id_ed25519
 	docker compose $(COMPOSE_ARGS) up --pull=always --abort-on-container-failure --remove-orphans --force-recreate control-plane partition
 	@$(MAKE)	--no-print-directory	start-machines
@@ -150,6 +150,15 @@ endif
 		sudo --preserve-env=MINI_LAB_SONIC_IMAGE --preserve-env=MINI_LAB_DELL_SONIC_VERSION --preserve-env=MINI_LAB_VM_IMAGE $(CONTAINERLAB) deploy --topo $(LAB_TOPOLOGY) --reconfigure && \
 		./scripts/deactivate_offloading.sh; fi
 
+.PHONY: verify-deployment-image
+verify-deployment-image: env
+	@if which cosign 1> /dev/null 2> /dev/null; then \
+		echo -e "\033[0;32mcosign is installed, verifying deployment base image\033[0m" && \
+		. ./.env && cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:$$DEPLOYMENT_BASE_IMAGE_TAG; \
+	else \
+		echo -e "\033[1;33mcosign is not installed, install it in order to verify the deployment base image prior to your deployments\033[0m\n"; \
+	fi
+
 .PHONY: external_network
 external_network:
 	@if ! docker network ls | grep -q mini_lab_ext; then \
diff --git a/compose.yaml b/compose.yaml
index a2f0d224..8fd3e0d9 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -23,7 +23,6 @@ services:
       - /bin/bash
       - -ce
       - |
-        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
         ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
         ansible-playbook deploy_control_plane.yaml --extra-vars "@.extra_vars.yaml"
 
@@ -46,7 +45,6 @@ services:
       - /bin/bash
       - -ce
       - |
-        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
         ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
         ansible-playbook deploy_partition.yaml --extra-vars "@.extra_vars.yaml"