From 391bce366d2711236dbccbaf9fa25eb0f77744a5 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Mon, 15 Dec 2025 00:16:16 +0000
Subject: [PATCH] fixup! fixup! Add artifacts signing.

---
 .github/workflows/release.yml |  2 ++
 .goreleaser.yaml              | 11 ++---------
 README.md                     | 10 +++++-----
 3 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9bb21e8..3caed05 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,8 @@ on:
 
 permissions:
   contents: write
+  packages: write
+  id-token: write
 
 jobs:
   release:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 0577efe..cf608f4 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -74,17 +74,10 @@ homebrew_casks:
 
 signs:
   - cmd: cosign
-    env:
-      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
-    certificate: "${artifact}.pem"
+    signature: "${artifact}.sigstore.json"
     args:
       - sign-blob
-      - "--key"
-      - "/tmp/cosign.key"
-      - "--output-signature"
-      - "${signature}"
-      - "--output-certificate"
-      - "${certificate}"
+      - "--bundle=${signature}"
       - "${artifact}"
       - "--yes"
     artifacts: checksum
diff --git a/README.md b/README.md
index 090e163..a36bebb 100644
--- a/README.md
+++ b/README.md
@@ -85,14 +85,14 @@ make build && make install
 
 ### Verifying Release Signatures
 
-All release checksums are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
 
 ```bash
-# Download the checksum file and its signature
-# Then verify with:
+# Download the checksum file and its sigstore bundle from the release
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
-  --signature kportal-<version>-checksums.txt.sig \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --bundle "kportal-<version>-checksums.txt.sigstore.json" \
   kportal-<version>-checksums.txt
 ```