diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index daf6738..ce7476c 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -59,16 +59,26 @@ jobs:
         run: |
           set -euxo pipefail
           dnf -y upgrade --refresh
-          dnf -y install \
+          # veilor-build:43 already ships git, curl, tar, sudo, nodejs.
+          # cosign is not packaged in Fedora 43; we install it from the
+          # upstream release tarball below in a separate step.
+          dnf -y install --skip-unavailable \
             podman \
             buildah \
             skopeo \
-            jq \
-            git \
-            curl \
-            tar \
-            sudo \
-            cosign
+            jq
+
+      - name: Install cosign binary (upstream release)
+        run: |
+          set -euxo pipefail
+          # Fedora 43 has no cosign rpm. Pull static x86_64 binary
+          # from sigstore/cosign GitHub releases. Pinned to v2.4.1.
+          COSIGN_VERSION="2.4.1"
+          curl -fsSL \
+            "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" \
+            -o /usr/local/bin/cosign
+          chmod +x /usr/local/bin/cosign
+          cosign version
 
       - name: Install BlueBuild CLI
         run: |