From 41baec52f0f019eecb65fad98586062386733b1b Mon Sep 17 00:00:00 2001
From: Patrick Gniza <pgniza@gmx.de>
Date: Sat, 8 Nov 2025 17:44:22 +0100
Subject: [PATCH] update cosing version + drone.yml

---
 .drone.yml | 37 +++++++++++++++++++++----------------
 Dockerfile |  2 +-
 2 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index bf2711e..f63e993 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -56,22 +56,27 @@ steps:
   # --------------------------------------------------
   # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
   # --------------------------------------------------
-  - name: sign-image
-    image: gcr.io/projectsigstore/cosign:v2.4.0
-    entrypoint: ["cosign"]
-    args:
-      - "sign"
-      - "--yes"
-      - "--key"
-      - "env://COSIGN_KEY"
-      - "$IMAGE_DIGEST"
-    environment:
-      COSIGN_KEY:
-        from_secret: COSIGN_KEY
-      COSIGN_PASSWORD:
-        from_secret: COSIGN_PASSWORD
-    depends_on:
-      - export-env
+- name: sign-image
+  image: alpine:3.20
+  environment:
+    COSIGN_KEY:
+      from_secret: COSIGN_KEY
+    COSIGN_PASSWORD:
+      from_secret: COSIGN_PASSWORD
+    IMAGE_DIGEST:
+      from_secret: IMAGE_DIGEST  # Optional – oder aus export-env
+  commands:
+    - echo "=== 🔏 Installing Cosign v3.0.2 ==="
+    - apk add --no-cache curl ca-certificates
+    - curl -sSL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64
+    - chmod +x /usr/local/bin/cosign
+
+    - echo "=== 🔏 Signing Image ==="
+    - cosign version
+    - cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST"
+    - echo "✅ Image signed successfully."
+  depends_on:
+    - export-env
 
   # --------------------------------------------------
   # 3️⃣ Create Gitea Release
diff --git a/Dockerfile b/Dockerfile
index ce3f350..379f90c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,7 +26,7 @@ RUN apk add --no-cache \
 
 # --- Cosign installieren ---
 RUN wget -qO /usr/local/bin/cosign \
-      https://github.com/sigstore/cosign/releases/download/v2.4.0/cosign-linux-amd64 && \
+      https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64 && \
     chmod +x /usr/local/bin/cosign
 
 # --- Entrypoint-Skript ---