From 9fd8f9b03bc797aece602c4528a102a51ba0a4a2 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Sun, 14 Dec 2025 23:56:42 +0000
Subject: [PATCH] fixup! Add artifacts signing.

---
 .goreleaser.yaml |  2 +-
 README.md        | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index f16678c..0577efe 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -80,7 +80,7 @@ signs:
     args:
       - sign-blob
       - "--key"
-      - "env://COSIGN_KEY"
+      - "/tmp/cosign.key"
       - "--output-signature"
       - "${signature}"
       - "--output-certificate"
diff --git a/README.md b/README.md
index c59405a..090e163 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,19 @@ cd kportal
 make build && make install
 ```
 
+### Verifying Release Signatures
+
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+
+```bash
+# Download the checksum file and its signature
+# Then verify with:
+cosign verify-blob \
+  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
+  --signature kportal-<version>-checksums.txt.sig \
+  kportal-<version>-checksums.txt
+```
+
 ## 🚀 Quick Start
 
 Create `.kportal.yaml`: