Merge pull request #327 from txn2/fix/cosign-signing

cjimti · web-flow · commit 497ad00d1e05 · 2025-12-27T16:32:18.000-08:00
fix: add Cosign signature bundle to releases
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -58,11 +58,11 @@ checksum:
 signs:
   - cmd: cosign
     artifacts: checksum
+    signature: "${artifact}.sigstore.json"
     args:
       - "sign-blob"
       - "--yes"
-      - "--output-signature=${signature}"
-      - "--output-certificate=${certificate}"
+      - "--bundle=${signature}"
       - "${artifact}"
 
 # Generate Software Bill of Materials for archives
diff --git a/README.md b/README.md
@@ -140,6 +140,33 @@ docker run -it --rm --privileged \
 
 See [Advanced Usage](docs/advanced-usage.md#docker-integration) for Docker Compose examples and [Getting Started](docs/getting-started.md) for complete installation instructions.
 
+## Verifying Downloads
+
+All release artifacts are signed using [Cosign](https://github.com/sigstore/cosign) keyless signing with GitHub Actions OIDC.
+
+### Verify Checksums
+
+```bash
+# Download the checksum file and signature bundle
+curl -LO https://github.com/txn2/kubefwd/releases/latest/download/kubefwd_checksums.txt
+curl -LO https://github.com/txn2/kubefwd/releases/latest/download/kubefwd_checksums.txt.sigstore.json
+
+# Verify signature
+cosign verify-blob \
+  --bundle kubefwd_checksums.txt.sigstore.json \
+  --certificate-identity-regexp="https://github.com/txn2/kubefwd/.*" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  kubefwd_checksums.txt
+```
+
+### Verify Docker Images
+
+```bash
+cosign verify txn2/kubefwd:latest \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  --certificate-identity-regexp="https://github.com/txn2/kubefwd/.*"
+```
+
 ## Usage
 
 ### Interactive Mode (Recommended)
