diff --git a/__tests__/sigstore/sigstore.test.itg.ts b/__tests__/sigstore/sigstore.test.itg.ts
index 09dd8c4..f756444 100644
--- a/__tests__/sigstore/sigstore.test.itg.ts
+++ b/__tests__/sigstore/sigstore.test.itg.ts
@@ -36,7 +36,7 @@ const maybeIdToken = runTest && process.env.ACTIONS_ID_TOKEN_REQUEST_URL ? descr
 beforeAll(async () => {
   const cosignInstall = new CosignInstall();
   const cosignBinPath = await cosignInstall.download({
-    version: 'v3.0.4'
+    version: 'v3.0.6'
   });
   await cosignInstall.install(cosignBinPath);
 }, 100000);
diff --git a/src/sigstore/sigstore.ts b/src/sigstore/sigstore.ts
index 2b69afe..2662a15 100644
--- a/src/sigstore/sigstore.ts
+++ b/src/sigstore/sigstore.ts
@@ -55,6 +55,8 @@ export interface SigstoreOpts {
   imageTools?: ImageTools;
 }
 
+const COSIGN_PREDICATE_SLSA_PROVENANCE_V1 = 'slsaprovenance1';
+
 export class Sigstore {
   private readonly cosign: Cosign;
   private readonly imageTools: ImageTools;
@@ -352,7 +354,8 @@ export class Sigstore {
             'verify-blob-attestation',
             '--new-bundle-format',
             '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
-            '--certificate-identity-regexp', opts.certificateIdentityRegexp
+            '--certificate-identity-regexp', opts.certificateIdentityRegexp,
+            '--type', opts.predicateType ?? COSIGN_PREDICATE_SLSA_PROVENANCE_V1
           ]
           if (opts.noTransparencyLog || !signedRes.tlogID) {
             // if there is no tlog entry, we skip tlog verification but still verify the signed timestamp
diff --git a/src/types/sigstore/sigstore.ts b/src/types/sigstore/sigstore.ts
index 355b95b..f9a6a7b 100644
--- a/src/types/sigstore/sigstore.ts
+++ b/src/types/sigstore/sigstore.ts
@@ -73,6 +73,7 @@ export interface SignProvenanceBlobsResult extends ParsedBundle {
 }
 
 export interface VerifySignedArtifactsOpts {
+  predicateType?: string;
   certificateIdentityRegexp: string;
   noTransparencyLog?: boolean;
 }