diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index f16678c..0577efe 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -80,7 +80,7 @@ signs:
     args:
       - sign-blob
       - "--key"
-      - "env://COSIGN_KEY"
+      - "/tmp/cosign.key"
       - "--output-signature"
       - "${signature}"
       - "--output-certificate"
diff --git a/README.md b/README.md
index c59405a..090e163 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,19 @@ cd kportal
 make build && make install
 ```
 
+### Verifying Release Signatures
+
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+
+```bash
+# Download the checksum file and its signature
+# Then verify with:
+cosign verify-blob \
+  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
+  --signature kportal-<version>-checksums.txt.sig \
+  kportal-<version>-checksums.txt
+```
+
 ## 🚀 Quick Start
 
 Create `.kportal.yaml`: