ci: Sign binary artifacts

Author: armsnyder

.github/.goreleaser.yaml

@@ -44,3 +44,16 @@ notarize:
         issuer_id: "{{ .Env.MACOS_NOTARY_ISSUER_ID }}"
         key_id: "{{ .Env.MACOS_NOTARY_KEY_ID }}"
         key: "{{ .Env.MACOS_NOTARY_KEY }}"
+
+# https://goreleaser.com/customization/binary_sign
+binary_signs:
+  - cmd: cosign
+    stdin: "{{ .Env.COSIGN_PWD }}"
+    args:
+      - sign-blob
+      - --key
+      - env://COSIGN_KEY
+      - --output-signature
+      - "${artifact}.sig"
+      - "${artifact}"
+      - --yes

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfprkFuaueivm8krdMoQ3Fu8iyIHO
+B0v6luy50g00LBrcjs2gFhTRpyKHkGSzxUS+Ix6rfUGakgLt9ojpbhl5sw==
+-----END PUBLIC KEY-----