update cosing version + drone.yml

.drone.yml

@@ -56,20 +56,25 @@ steps:
   # --------------------------------------------------
   # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
   # --------------------------------------------------
-  - name: sign-image
+- name: sign-image
-    image: gcr.io/projectsigstore/cosign:v2.4.0
+  image: alpine:3.20
-    entrypoint: ["cosign"]
-    args:
-      - "sign"
-      - "--yes"
-      - "--key"
-      - "env://COSIGN_KEY"
-      - "$IMAGE_DIGEST"
   environment:
     COSIGN_KEY:
       from_secret: COSIGN_KEY
     COSIGN_PASSWORD:
       from_secret: COSIGN_PASSWORD
+    IMAGE_DIGEST:
+      from_secret: IMAGE_DIGEST  # Optional – oder aus export-env
+  commands:
+    - echo "=== 🔏 Installing Cosign v3.0.2 ==="
+    - apk add --no-cache curl ca-certificates
+    - curl -sSL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64
+    - chmod +x /usr/local/bin/cosign
+
+    - echo "=== 🔏 Signing Image ==="
+    - cosign version
+    - cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST"
+    - echo "✅ Image signed successfully."
   depends_on:
     - export-env
 

Dockerfile

@@ -26,7 +26,7 @@ RUN apk add --no-cache \
 
 # --- Cosign installieren ---
 RUN wget -qO /usr/local/bin/cosign \
-      https://github.com/sigstore/cosign/releases/download/v2.4.0/cosign-linux-amd64 && \
+      https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64 && \
     chmod +x /usr/local/bin/cosign
 
 # --- Entrypoint-Skript ---