From 623cbbcae3672bb9ddf7a2fffce03920f3a93938 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Sun, 14 Dec 2025 23:37:40 +0000
Subject: [PATCH] Add signing images and binaries.

---
 .goreleaser.yaml | 31 +++++++++++++++++++++++++++++++
 README.md        | 17 +++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 605df8a..05a0b0b 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -65,3 +65,34 @@ dockers_v2:
     dockerfile: Dockerfile.goreleaser
     extra_files:
       - static/app
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - "--key"
+      - "env://COSIGN_KEY"
+      - "--output-signature"
+      - "${signature}"
+      - "--output-certificate"
+      - "${certificate}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+    output: true
+
+docker_signs:
+  - cmd: cosign
+    env:
+      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
+    artifacts: manifests
+    output: true
+    args:
+      - sign
+      - "--key"
+      - "env://COSIGN_KEY"
+      - "${artifact}@${digest}"
+      - "--yes"
diff --git a/README.md b/README.md
index b766c0c..ec939d8 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,23 @@ You should always try to stick to the latest and greatest version of the graphql
 
 You can find the example of the Kubernetes manifest in the [example standalone deployment](static/kubernetes-deployment.yaml) or [example combined deployment](static/kubernetes-single-deployment.yaml) files. Observed advantage of multideployment is that it allows the network requests to travel via localhost, without leaving the deployment which brings quite significant network performance boost.
 
+#### Verifying Release Signatures
+
+All release checksums and Docker images are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+
+```bash
+# Verify checksum signature
+cosign verify-blob \
+  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
+  --signature graphql-proxy-checksums.txt.sig \
+  graphql-proxy-checksums.txt
+
+# Verify Docker image
+cosign verify \
+  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
+  ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest
+```
+
 #### Note on websocket support
 
 **Native WebSocket Support Available!** Starting with version 0.27.0, the proxy includes native WebSocket support for GraphQL subscriptions. Enable it by setting `WEBSOCKET_ENABLE=true`.