Merge pull request #396 from fettpl/fix/365-release-signatures

ci: add cosign keyless signing for release artifacts

.github/workflows/release.yml

@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write  # Required for cosign keyless signing via OIDC
 
 env:
   CARGO_TERM_COLOR: always
@@ -84,6 +85,20 @@ jobs:
         with:
           path: artifacts
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      - name: Sign artifacts with cosign (keyless)
+        run: |
+          for file in artifacts/**/*; do
+            [ -f "$file" ] || continue
+            cosign sign-blob --yes \
+              --oidc-issuer=https://token.actions.githubusercontent.com \
+              --output-signature="${file}.sig" \
+              --output-certificate="${file}.pem" \
+              "$file"
+          done
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with: