diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index 443140d..1d0807e 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -10,6 +10,10 @@ jobs:
   build:
     name: Build landingpage
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       matrix:
         machine:
@@ -37,13 +41,6 @@ jobs:
     - name: Checkout the repository
       uses: actions/checkout@v3
 
-    - name: Login to DockerHub
-      if: github.event_name == 'release'
-      uses: docker/login-action@v2.2.0
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
     - name: Login to GitHub Container Registry
       if: github.event_name == 'release'
       uses: docker/login-action@v2.2.0
@@ -57,12 +54,13 @@ jobs:
       run: echo "BUILD_ARGS=--test" >> $GITHUB_ENV
 
     - name: Build landingpage
-      uses: home-assistant/builder@2023.06.0
+      uses: home-assistant/builder@2023.06.1
       with:
         args: |
           $BUILD_ARGS \
           --target /data \
           --no-latest \
+          --cosign \
           --machine landingpage=${{ matrix.machine }}
       env:
         CAS_API_KEY: ${{ secrets.CAS_TOKEN }}
diff --git a/build.yaml b/build.yaml
index d6494ac..f0da07b 100644
--- a/build.yaml
+++ b/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{machine}-homeassistant
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{machine}-homeassistant
 build_from:
   aarch64: scratch
   armv7: scratch
@@ -9,6 +8,9 @@ build_from:
 codenotary:
   signer: notary@home-assistant.io
   base_image: notary@home-assistant.io
+cosign:
+  base_identity: https://github.com/home-assistant/docker-base/.*
+  identity: https://github.com/home-assistant/landingpage/.*
 labels:
   io.hass.type: landingpage
   org.opencontainers.image.source: https://github.com/home-assistant/landingpage