From 6d893df12b1a8e9f709126975418e135f0e9f42a Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Mon, 15 Dec 2025 00:38:35 +0000
Subject: [PATCH] Add signing of the plugin on release.

---
 .github/workflows/release.yml |  2 ++
 .goreleaser.yaml              | 11 +++++++++++
 README.md                     | 13 +++++++++++++
 3 files changed, 26 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 306cf84..cb1028a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,7 +11,9 @@ on:
   workflow_dispatch:
 
 permissions:
+  id-token: write
   contents: write
+  packages: write
 
 jobs:
   release:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 430f5e3..e93d88b 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -47,3 +47,14 @@ release:
   name_template: "v{{ .Version }}"
   draft: false
   prerelease: auto
+
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sigstore.json"
+    args:
+      - sign-blob
+      - "--bundle=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+    output: true
diff --git a/README.md b/README.md
index 3103b82..b06a5e9 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,19 @@ experimental:
 
 2. Configure the middleware in your dynamic configuration (see examples below).
 
+### Verifying Release Signatures
+
+All release checksums are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
+
+```bash
+# Download the checksum file and its sigstore bundle from the release
+cosign verify-blob \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/traefikoidc/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --bundle "traefikoidc_v<version>_checksums.txt.sigstore.json" \
+  traefikoidc_v<version>_checksums.txt
+```
+
 ### Local Development with Docker Compose
 
 For local development or testing, you can use the provided Docker Compose setup: