add documentation about how to verify the signed images

Signed-off-by: Jan Larwig <[email protected]>

Author: tuunit

README.md

@@ -18,3 +18,24 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch
 ct lint --all --config ct.yaml
 ct install --all --config ct.yaml
 ```
+
+## Verify Signed Helm Charts
+
+With the introduction of cosign for signing artifacts you can verify the
+integrity of our artifacts using the following command:
+
+```
+VERSION=8.2.2
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    --certificate-github-workflow-repository oauth2-proxy/manifests \
+    --certificate-github-workflow-name "Release Charts" \
+    --certificate-github-workflow-ref main \
+    --certificate-identity "https://github.com/oauth2-proxy/manifests/.github/workflows/release.yaml@main" \
+    "oci://ghcr.io/oauth2-proxy/manifests/charts/oauth2-proxy@${VERSION}" | jq
+```
+
+Note:
+
+We utilize cosign to sign and verify artifacts with the KEYLESS mode. To learn
+more about how keyless signing is done, visit the official documentation about 
+[Keyless Signatures](https://docs.sigstore.dev/cosign/signing/overview/#the-signing-witnessing-and-verifying-process).