fixup! fixup! Add artifacts signing.

.github/workflows/release.yml

@@ -12,6 +12,8 @@ on:
 
 permissions:
   contents: write
+  packages: write
+  id-token: write
 
 jobs:
   release:

.goreleaser.yaml

@@ -74,17 +74,10 @@ homebrew_casks:
 
 signs:
   - cmd: cosign
-    env:
+    signature: "${artifact}.sigstore.json"
-      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
-    certificate: "${artifact}.pem"
     args:
       - sign-blob
-      - "--key"
+      - "--bundle=${signature}"
-      - "env://COSIGN_KEY"
-      - "--output-signature"
-      - "${signature}"
-      - "--output-certificate"
-      - "${certificate}"
       - "${artifact}"
       - "--yes"
     artifacts: checksum

README.md

@@ -83,6 +83,19 @@ cd kportal
 make build && make install
 ```
 
+### Verifying Release Signatures
+
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
+
+```bash
+# Download the checksum file and its sigstore bundle from the release
+cosign verify-blob \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --bundle "kportal-<version>-checksums.txt.sigstore.json" \
+  kportal-<version>-checksums.txt
+```
+
 ## 🚀 Quick Start
 
 Create `.kportal.yaml`: