Update go.mod and go.sum (#19 )

fixup! fixup! Add artifacts signing.
2026-06-30 05:44:37 +00:00 · 2025-12-15 03:40:40 +00:00 · 2025-12-15 00:16:16 +00:00
5 changed files with 12 additions and 17 deletions
@@ -12,6 +12,8 @@ on:
 permissions:
  contents: write
  packages: write
  id-token: write
 jobs:
  release:
@@ -74,17 +74,10 @@ homebrew_casks:
 signs:
  - cmd: cosign
-    env:
+    signature: "${artifact}.sigstore.json"
      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
    certificate: "${artifact}.pem"
    args:
      - sign-blob
-      - "--key"
+      - "--bundle=${signature}"
      - "/tmp/cosign.key"
      - "--output-signature"
      - "${signature}"
      - "--output-certificate"
      - "${certificate}"
      - "${artifact}"
      - "--yes"
    artifacts: checksum
@@ -85,14 +85,14 @@ make build && make install
 ### Verifying Release Signatures
-All release checksums are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
 ```bash
-# Download the checksum file and its signature
+# Download the checksum file and its sigstore bundle from the release
 # Then verify with:
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
-  --signature kportal-<version>-checksums.txt.sig \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --bundle "kportal-<version>-checksums.txt.sigstore.json" \
  kportal-<version>-checksums.txt
 ```
@@ -23,7 +23,7 @@ require (
 	github.com/charmbracelet/x/ansi v0.11.3 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.14 // indirect
 	github.com/charmbracelet/x/term v0.2.2 // indirect
-	github.com/clipperhouse/displaywidth v0.6.1 // indirect
+	github.com/clipperhouse/displaywidth v0.6.2 // indirect
 	github.com/clipperhouse/stringish v0.1.1 // indirect
 	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -20,8 +20,8 @@ github.com/charmbracelet/x/exp/golden v0.0.0-20240806155701-69247e0abc2a h1:G99k
 github.com/charmbracelet/x/exp/golden v0.0.0-20240806155701-69247e0abc2a/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
 github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
 github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
-github.com/clipperhouse/displaywidth v0.6.1 h1:/zMlAezfDzT2xy6acHBzwIfyu2ic0hgkT83UX5EY2gY=
+github.com/clipperhouse/displaywidth v0.6.2 h1:ZDpTkFfpHOKte4RG5O/BOyf3ysnvFswpyYrV7z2uAKo=
-github.com/clipperhouse/displaywidth v0.6.1/go.mod h1:R+kHuzaYWFkTm7xoMmK1lFydbci4X2CicfbGstSGg0o=
+github.com/clipperhouse/displaywidth v0.6.2/go.mod h1:R+kHuzaYWFkTm7xoMmK1lFydbci4X2CicfbGstSGg0o=
 github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
 github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
 github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
Author	SHA1	Message	Date
lukaszraczylo	92746efcf5	Update go.mod and go.sum (#19 )	2025-12-15 03:40:40 +00:00
lukaszraczylo	391bce366d	fixup! fixup! Add artifacts signing.	2025-12-15 00:16:16 +00:00