From 58fc848b9440fc4cec8d11ce08bed93b36274361 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Mon, 13 Apr 2026 20:53:16 +0200
Subject: [PATCH 1/4] feat: add sigstore signing

---
 README.md    |  1 +
 SECURITY.md  | 32 ++++++++++++++++++++++++++++++++
 gen/build.sh |  2 +-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index bbd1443ae..91dc409ac 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ See [faq](https://github.com/gokcehan/lf/wiki/FAQ) for more information and [tut
 See [packages](https://github.com/gokcehan/lf/wiki/Packages) for community maintained packages.
 
 See [releases](https://github.com/gokcehan/lf/releases) for pre-built binaries.
+See [security](SECURITY.md) for release verification and reproducible builds.
 
 Building from the source requires [Go](https://go.dev/).
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..584a5018d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# Verifying Releases
+
+Release binaries are signed using [sigstore cosign](https://github.com/sigstore/cosign) with keyless signing.
+Each signing event is recorded in the [Rekor](https://rekor.sigstore.dev) transparency log, providing a public auditable record that the binary was built by the official GitHub Actions release workflow.
+
+## Verify a download
+
+Install cosign:
+
+    go install github.com/sigstore/cosign/v3/cmd/cosign@latest
+
+Download the binary, checksums, and sigstore bundle for your platform from the [releases page](https://github.com/gokcehan/lf/releases), then run:
+
+    cosign verify-blob lf-linux-amd64.tar.gz \
+      --bundle lf-linux-amd64.tar.gz.sigstore.json \
+      --certificate-identity "https://github.com/gokcehan/lf/.github/workflows/release.yml@refs/tags/TAG" \
+      --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+Replace `TAG` with the release tag (e.g. `r33`).
+
+## Verify checksums
+
+    sha256sum -c sha256sums.txt
+
+## Reproduce a build
+
+Builds are reproducible given the same Go version and source:
+
+    go version -m ./lf              # shows the exact Go version used
+    git checkout TAG
+    CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.gVersion=TAG"
+    sha256sum lf                    # compare with sha256sums.txt
diff --git a/gen/build.sh b/gen/build.sh
index c060b64d2..b72b12b71 100755
--- a/gen/build.sh
+++ b/gen/build.sh
@@ -10,6 +10,6 @@ set -o errexit -o nounset
 
 [ -z "${version:-}" ] && version=$(git describe --tags --abbrev=0)
 
-CGO_ENABLED=0 go build -ldflags="-s -w -X main.gVersion=$version" "$@"
+CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.gVersion=$version" "$@"
 
 # vim: tabstop=4 shiftwidth=4 textwidth=80 colorcolumn=80

From e261c6291aef8934edab5471f48af2bf8183f213 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Tue, 14 Apr 2026 20:29:36 +0200
Subject: [PATCH 2/4] clean patch

---
 gen/build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gen/build.sh b/gen/build.sh
index b72b12b71..c060b64d2 100755
--- a/gen/build.sh
+++ b/gen/build.sh
@@ -10,6 +10,6 @@ set -o errexit -o nounset
 
 [ -z "${version:-}" ] && version=$(git describe --tags --abbrev=0)
 
-CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.gVersion=$version" "$@"
+CGO_ENABLED=0 go build -ldflags="-s -w -X main.gVersion=$version" "$@"
 
 # vim: tabstop=4 shiftwidth=4 textwidth=80 colorcolumn=80

From 4058122124589d6d3806a004f9311adcd9469ba6 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Sun, 3 May 2026 12:08:21 +0200
Subject: [PATCH 3/4] add missing ci file and improve workflow

---
 SECURITY.md | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 584a5018d..a75afb92c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,9 @@
 # Verifying Releases
 
-Release binaries are signed using [sigstore cosign](https://github.com/sigstore/cosign) with keyless signing.
-Each signing event is recorded in the [Rekor](https://rekor.sigstore.dev) transparency log, providing a public auditable record that the binary was built by the official GitHub Actions release workflow.
+Release artifacts are signed using [sigstore cosign](https://github.com/sigstore/cosign) with keyless signing.
+Each signing event is recorded in the [Rekor](https://rekor.sigstore.dev) transparency log, providing a public auditable record that the artifacts were built by the official GitHub Actions release workflow.
+
+A single signature is produced over `sha256sums.txt`, which lists the SHA-256 of every release archive. Verifying the signature on `sha256sums.txt` and then verifying each archive against `sha256sums.txt` gives the same end-to-end guarantee as a per-archive signature.
 
 ## Verify a download
 
@@ -9,18 +11,18 @@ Install cosign:
 
     go install github.com/sigstore/cosign/v3/cmd/cosign@latest
 
-Download the binary, checksums, and sigstore bundle for your platform from the [releases page](https://github.com/gokcehan/lf/releases), then run:
+Download `sha256sums.txt`, `sha256sums.txt.sigstore.json`, and the archive(s) you want from the [releases page](https://github.com/gokcehan/lf/releases), then:
 
-    cosign verify-blob lf-linux-amd64.tar.gz \
-      --bundle lf-linux-amd64.tar.gz.sigstore.json \
+    cosign verify-blob sha256sums.txt \
+      --bundle sha256sums.txt.sigstore.json \
       --certificate-identity "https://github.com/gokcehan/lf/.github/workflows/release.yml@refs/tags/TAG" \
       --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
 
 Replace `TAG` with the release tag (e.g. `r33`).
 
-## Verify checksums
+Once `sha256sums.txt` is trusted, verify the archive(s) against it:
 
-    sha256sum -c sha256sums.txt
+    sha256sum --check --ignore-missing sha256sums.txt
 
 ## Reproduce a build
 

From 6280c8a8ddc5a471b83fb539ba9a01c1584ecec3 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Sun, 3 May 2026 13:49:03 +0200
Subject: [PATCH 4/4] add workflow

---
 .github/workflows/release.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 006e62851..791e057ed 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -78,6 +78,9 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: write
+      id-token: write   # required for cosign keyless OIDC signing
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@v8
@@ -85,6 +88,18 @@ jobs:
           path: dist
           merge-multiple: true
 
+      - name: Generate checksums
+        working-directory: dist
+        shell: bash
+        run: sha256sum lf-*.{zip,tar.gz} > sha256sums.txt
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign checksums (sigstore keyless)
+        working-directory: dist
+        run: cosign sign-blob --yes --bundle sha256sums.txt.sigstore.json sha256sums.txt
+
       - name: Release
         uses: softprops/action-gh-release@v2
         with: