fixup! Add artifacts signing.

2026-06-06 23:13:39 +00:00 · 2025-12-14 23:56:42 +00:00
2 changed files with 14 additions and 1 deletions
@@ -80,7 +80,7 @@ signs:
    args:
      - sign-blob
      - "--key"
-      - "env://COSIGN_KEY"
+      - "/tmp/cosign.key"
      - "--output-signature"
      - "${signature}"
      - "--output-certificate"
@@ -83,6 +83,19 @@ cd kportal
 make build && make install
 ```

+### Verifying Release Signatures
+
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+
+```bash
+# Download the checksum file and its signature
+# Then verify with:
+cosign verify-blob \
+  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
+  --signature kportal-<version>-checksums.txt.sig \
+  kportal-<version>-checksums.txt
+```
+
 ## 🚀 Quick Start

 Create `.kportal.yaml`: