fixup! fixup! Add artifacts signing.

.github/workflows/release.yml

@@ -12,6 +12,8 @@ on:
 
 permissions:
   contents: write
+  packages: write
+  id-token: write
 
 jobs:
   release:

.goreleaser.yaml

@@ -74,17 +74,10 @@ homebrew_casks:
 
 signs:
   - cmd: cosign
-    env:
-      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
-    certificate: "${artifact}.pem"
+    signature: "${artifact}.sigstore.json"
     args:
       - sign-blob
-      - "--key"
-      - "/tmp/cosign.key"
-      - "--output-signature"
-      - "${signature}"
-      - "--output-certificate"
-      - "${certificate}"
+      - "--bundle=${signature}"
       - "${artifact}"
       - "--yes"
     artifacts: checksum

README.md

@@ -85,14 +85,14 @@ make build && make install
 
 ### Verifying Release Signatures
 
-All release checksums are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
 
 ```bash
-# Download the checksum file and its signature
-# Then verify with:
+# Download the checksum file and its sigstore bundle from the release
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
-  --signature kportal-<version>-checksums.txt.sig \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --bundle "kportal-<version>-checksums.txt.sigstore.json" \
   kportal-<version>-checksums.txt
 ```