From b7369b00ee0d03a73f95e9b64da18a0a7c8162f8 Mon Sep 17 00:00:00 2001
From: Matthew Kilgore <matthew@kilgore.dev>
Date: Sat, 23 Aug 2025 17:51:55 -0400
Subject: [PATCH] Try keyless signing for blobs

---
 backend/.goreleaser.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backend/.goreleaser.yaml b/backend/.goreleaser.yaml
index 02c80bcb..b989e890 100644
--- a/backend/.goreleaser.yaml
+++ b/backend/.goreleaser.yaml
@@ -43,11 +43,14 @@ signs:
     stdin: "{{ .Env.COSIGN_PWD }}"
     args:
       - "sign-blob"
-      - "--key=cosign.key"
+      - "--output-certificate=${certificate}"
       - "--output-signature=${signature}"
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
     artifacts: all
+    output:
+      signature: "${artifact}.sig"
+      certificate: "${artifact}.pem"
 
 archives:
   - formats: [ 'tar.gz' ]