fixup! fixup! Add artifacts signing.

fixup! Add artifacts signing.
Add artifacts signing.
2026-06-05 23:03:40 +00:00 · 2025-12-15 00:16:16 +00:00 · 2025-12-14 23:56:42 +00:00 · 2025-12-14 23:29:27 +00:00
3 changed files with 26 additions and 0 deletions
@@ -12,6 +12,8 @@ on:

 permissions:
  contents: write
+  packages: write
+  id-token: write

 jobs:
  release:
@@ -71,3 +71,14 @@ homebrew_casks:
            system_command "/usr/bin/xattr",
                           args: ["-dr", "com.apple.quarantine", "#{staged_path}/kportal"]
          end
+
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sigstore.json"
+    args:
+      - sign-blob
+      - "--bundle=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+    output: true
@@ -83,6 +83,19 @@ cd kportal
 make build && make install
 ```

+### Verifying Release Signatures
+
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
+
+```bash
+# Download the checksum file and its sigstore bundle from the release
+cosign verify-blob \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --bundle "kportal-<version>-checksums.txt.sigstore.json" \
+  kportal-<version>-checksums.txt
+```
+
 ## 🚀 Quick Start

 Create `.kportal.yaml`:
Author	SHA1	Message	Date
lukaszraczylo	391bce366d	fixup! fixup! Add artifacts signing.	2025-12-15 00:16:16 +00:00
lukaszraczylo	9fd8f9b03b	fixup! Add artifacts signing.	2025-12-14 23:56:42 +00:00
lukaszraczylo	7032bb5bee	Add artifacts signing.	2025-12-14 23:29:27 +00:00