diff --git a/README.md b/README.md
index 88f846a..ef1f28e 100644
--- a/README.md
+++ b/README.md
@@ -92,7 +92,7 @@ All release checksums are signed with [cosign](https://github.com/sigstore/cosig
 ```bash
 # Download the checksum file and its sigstore bundle from the release
 cosign verify-blob \
-  --certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
+  --certificate-identity-regexp "^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$" \
   --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
   --bundle "kportal-<version>-checksums.txt.sigstore.json" \
   kportal-<version>-checksums.txt
diff --git a/install.sh b/install.sh
index 5beb8d5..98f23ee 100755
--- a/install.sh
+++ b/install.sh
@@ -133,8 +133,12 @@ verify_cosign_signature() {
     fi
 
     print_info "Verifying cosign signature on checksums.txt..."
+    # Releases are signed by the shared-actions reusable workflow, so the
+    # cert subject is the workflow URL — NOT this repo. Override with
+    # COSIGN_CERT_IDENTITY_REGEXP if you fork the release pipeline.
+    local cert_identity_regexp="${COSIGN_CERT_IDENTITY_REGEXP:-^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$}"
     if cosign verify-blob \
-        --certificate-identity-regexp "https://github.com/${REPO}/.*" \
+        --certificate-identity-regexp "${cert_identity_regexp}" \
         --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
         --bundle "${sig_file}" \
         "${checksums_file}" >/dev/null 2>&1; then