add documentation about how to verify the signed images

Signed-off-by: Jan Larwig <[email protected]>

Author: tuunit

README.md

@@ -18,3 +18,23 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch
 ct lint --all --config ct.yaml
 ct install --all --config ct.yaml
 ```
+
+## Verify Signed Helm Charts
+
+With the introduction of cosign as a keyless method of signing artifacts you can
+verify the integrity of the artifacts using the following command:
+
+```
+VERSION=8.2.2
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    --certificate-github-workflow-repository oauth2-proxy/manifests \
+    --certificate-github-workflow-name "Release Charts" \
+    --certificate-github-workflow-ref main \
+    --certificate-identity "https://github.com/oauth2-proxy/manifests/.github/workflows/release.yaml@main" \
+    "oci://ghcr.io/oauth2-proxy/manifests/charts/oauth2-proxy@${VERSION}" | jq
+```
+
+Note:
+We utilize cosign to verify images signed with the KEYLESS mode. To learn more
+visit the official documentation on [Keyless Signatures](https://docs.sigstore.dev/cosign/signing/overview/#the-signing-witnessing-and-verifying-process).
+