diff --git a/containers/docker/docker_helpers.sh b/containers/docker/docker_helpers.sh
index 8a00260..c37407f 100755
--- a/containers/docker/docker_helpers.sh
+++ b/containers/docker/docker_helpers.sh
@@ -10,6 +10,33 @@ docker_login() {
 	echo "${password}" | docker login --username "${username}" --password-stdin "${server}"
 }
 
+docker_retag_image() {
+	local image_to_retag="${1}"
+	local retagged_image="${2}"
+	local manifest_path=/tmp/manifest.json
+
+	oras manifest fetch --pretty "${image_to_retag}" --output "${manifest_path}"
+	oras manifest delete --force "${image_to_retag}"
+	oras manifest push --verbose "${retagged_image}" "${manifest_path}"
+	rm -fr "${manifest_path}"
+}
+
+docker_create_sbom_and_sign_image() {
+	local image="${1}"
+
+	syft packages "${image}" -o spdx-json > docker-image-sbom.spdx.json
+	cosign attach sbom --sbom docker-image-sbom.spdx.json "${image}"
+	image_digest=$(oras manifest fetch --descriptor "${image}" --pretty | jq -r '.digest')
+
+	if [[ -n "${COSIGN_PRIVATE_KEY}" ]]; then
+		cosign sign --key "${COSIGN_PRIVATE_KEY}" --recursive --yes "${image}"@"${image_digest}"
+	elif [[ -n "${SIGSTORE_ID_TOKEN}" ]]; then
+		cosign sign --recursive --yes "${image}"@"${image_digest}"
+	else
+		echo "no key found: skipping image signing"
+	fi
+}
+
 docker_clean_tag() {
 	echo "${1}" | perl -pe 's/^v(?P<semver>(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)$/$+{semver}/'
 }