diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 4959ed8c..d1c8009e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -66,6 +66,14 @@ jobs:
           args: release --clean ${{ env.flags }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Export and upload public key
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        run: |
+          gpg --export --armor "${{ secrets.GPG_FINGERPRINT }}" > pubkey.asc
+          gh release upload ${{ github.ref_name }} pubkey.asc
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   provenance-smoke-test:
     runs-on: ubuntu-latest
diff --git a/README.md b/README.md
index 0f54974c..a3241623 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,8 @@ helm plugin install https://github.com/databus23/helm-diff/releases/latest/downl
 For offline/airgapped environments, download the public key from the GitHub release assets on a connected machine, transfer it, and import it locally:
 
 ```shell
-gpg --import <public-key.asc>
+curl -sL https://github.com/databus23/helm-diff/releases/latest/download/pubkey.asc -o pubkey.asc
+gpg --import pubkey.asc
 ```
 
 The public key fingerprint is published in the notes for each GitHub release.