diff --git a/action.yml b/action.yml
index 860a895..876a825 100644
--- a/action.yml
+++ b/action.yml
@@ -17,7 +17,7 @@ runs:
     - run: |
         bootstrap_version='v1.0.0'
         expected_bootstrap_version_digest='e36a05ab402bfee5463ad4752d8dc2941204c7b01a9a9931f921e91d94ba2484'
-        curl -L https://storage.googleapis.com/cosign-releases/v1.0.0/cosign-linux-amd64 -o cosign
+        curl -L https://github.com/sigstore/cosign/releases/download/v1.0.0/cosign-linux-amd64 -o cosign
         shaBootstrap=$(shasum -a 256 cosign | cut -d' ' -f1);
         if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then exit 1; fi
         chmod +x cosign
@@ -35,9 +35,9 @@ runs:
 
         # Download custom cosign
         if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
-          curl -L https://storage.googleapis.com/cosign-releases/v0.6.0/cosign_linux_amd64 -o cosign_${{ inputs.cosign-release }}
+          curl -L https://github.com/sigstore/cosign/releases/download/v0.6.0/cosign_linux_amd64 -o cosign_${{ inputs.cosign-release }}
         else
-          curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign-linux-amd64 -o cosign_${{ inputs.cosign-release }}
+          curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign-linux-amd64 -o cosign_${{ inputs.cosign-release }}
         fi
         shaCustom=$(shasum -a 256 cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);