In GoReleaser v0.176.0 (both OSS and Pro), we released the ability to sign Docker images - with cosign in mind, and also did small quality-of-life improvements in the artifact signing feature. In this post we’ll explore how to quickly add this to your GoReleaser config so your users can verify the artifacts they download. cosign You’ll need to install cosign, and then generate a key pair with it: cosign generate-key-pair It’ll ask for a password and its confirmation - and that’s it.
