diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index cb467bc..8d337dc 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -58,6 +58,8 @@ jobs:
           images: |
            ghcr.io/${{ github.repository }}
            docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/yt-dlp-webui
+          tags: |
+            type=raw,value=latest
 
       - name: Build and push Docker image
         id: build-and-push
@@ -67,8 +69,8 @@ jobs:
           context: .
           push: true
           platforms: linux/amd64,linux/arm/v7,linux/arm64
-          tags: ${{ secrets.DOCKER_HUB_USERNAME }}/yt-dlp-webui:latest
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels}}
 
       - name: Sign the published Docker image
         env:
@@ -76,5 +78,5 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: |
-          cosign sign ghcr.io/${{ github.repository }}:latest
-          cosign sign docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/yt-dlp-webui:latest
+          cosign sign ghcr.io/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }}
+          cosign sign docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/yt-dlp-webui@${{ steps.build-and-push.outputs.digest }}