From 0a8c872b01e78588ffe596cb07fd12d898ad7ba5 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Wed, 6 May 2026 11:02:40 +0100
Subject: [PATCH] fix(install): pin cosign cert-identity to shared-actions
 workflow

Releases are signed by the lukaszraczylo/shared-actions reusable
workflow, so the Sigstore certificate subject is the workflow URL
rather than this repo. The previous regex
'https://github.com/lukaszraczylo/kportal/.*' never matched, so any
user with cosign installed would see verification fail and abort
the install.

Pin cert-identity to the exact workflow URL:
  ^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$

Override via COSIGN_CERT_IDENTITY_REGEXP for forks of the release
pipeline. Same fix applied to README's manual verification example.

Verified end-to-end against release v0.2.90:
  cosign verify-blob ... -> Verified OK
---
 README.md  | 2 +-
 install.sh | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 88f846a..ef1f28e 100644
--- a/README.md
+++ b/README.md
@@ -92,7 +92,7 @@ All release checksums are signed with [cosign](https://github.com/sigstore/cosig
 ```bash
 # Download the checksum file and its sigstore bundle from the release
 cosign verify-blob \
-  --certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
+  --certificate-identity-regexp "^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$" \
   --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
   --bundle "kportal-<version>-checksums.txt.sigstore.json" \
   kportal-<version>-checksums.txt
diff --git a/install.sh b/install.sh
index 5beb8d5..98f23ee 100755
--- a/install.sh
+++ b/install.sh
@@ -133,8 +133,12 @@ verify_cosign_signature() {
     fi
 
     print_info "Verifying cosign signature on checksums.txt..."
+    # Releases are signed by the shared-actions reusable workflow, so the
+    # cert subject is the workflow URL — NOT this repo. Override with
+    # COSIGN_CERT_IDENTITY_REGEXP if you fork the release pipeline.
+    local cert_identity_regexp="${COSIGN_CERT_IDENTITY_REGEXP:-^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$}"
     if cosign verify-blob \
-        --certificate-identity-regexp "https://github.com/${REPO}/.*" \
+        --certificate-identity-regexp "${cert_identity_regexp}" \
         --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
         --bundle "${sig_file}" \
         "${checksums_file}" >/dev/null 2>&1; then