diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
index ea2c03d..0e07dc2 100644
--- a/.github/workflows/selftest.yml
+++ b/.github/workflows/selftest.yml
@@ -150,6 +150,13 @@ jobs:
           inputs: ./test/artifact.txt
           staging: true
           internal-be-careful-debug: true
+      - name: Sign artifact with non-default rekor-version and publish signature
+        uses: ./
+        with:
+          inputs: ./test/artifact2.txt
+          staging: true
+          rekor-version: 1
+          internal-be-careful-debug: true
       - name: Check outputs
         run: |
           [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
diff --git a/action.py b/action.py
index d92f7a3..41d1259 100755
--- a/action.py
+++ b/action.py
@@ -151,6 +151,19 @@ def _fatal_help(msg):
 
 if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
     sigstore_global_args.append("--staging")
+    rekor_version_default = "2"
+else:
+    rekor_version_default = "1"
+
+rekor_version_env = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_VERSION")
+if rekor_version_env == "":
+    rekor_version = rekor_version_default
+elif rekor_version_env in ["1", "2"]:
+    rekor_version = rekor_version_env
+else:
+    _fatal_help(f"'{rekor_version_env}' is not a valid rekor-version")
+
+sigstore_sign_args.extend(["--rekor-version", rekor_version])
 
 verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
 if enable_verify and not verify_cert_identity:
diff --git a/action.yml b/action.yml
index 7321297..773be22 100644
--- a/action.yml
+++ b/action.yml
@@ -32,6 +32,14 @@ inputs:
     description: "the custom OpenID Connect client secret to use during OAuth2"
     required: false
     default: ""
+  rekor-version:
+    description: |
+      The Rekor transparency log instance version used during signing. Valid values are [1, 2].
+      Verifying clients must be compatible with the used Rekor version.
+
+      Default rekor-version is 1, except when `staging` is enabled: then default rekor-version is 2.
+    required: false
+    default: ""
   staging:
     description: "use sigstore's staging instances, instead of the default production instances"
     required: false
@@ -92,6 +100,7 @@ runs:
         GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
+        GHA_SIGSTORE_PYTHON_REKOR_VERSION: "${{ inputs.rekor-version }}"
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"