fix signing

.gitea/workflows/docker-builder.yml

@@ -243,22 +243,28 @@ jobs:
           path: sbom.spdx.json
           
       - name: Install cosign
+        shell: bash
         run: |
           curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-            -o /usr/local/bin/cosign
-          chmod +x /usr/local/bin/cosign
+            -o cosign
+          chmod +x cosign
+          mv cosign /usr/local/bin/
+          cosign version
 
       - name: Sign image
         if: env.IS_TAG == 'true'
         shell: bash
         run: |
           set -euo pipefail
-          IMAGE_NAME="${REGISTRY_HOST}/${IMAGE_BASE}"
-          # Filter nur das erste Tag aus DOCKER_TAGS (falls mehrere)
-          IMAGE_TO_SIGN=$(echo "$DOCKER_TAGS" | cut -d',' -f1)
+          echo "IMAGE_NAME=${REGISTRY_HOST}/${IMAGE_BASE}"
+          echo "VERSION=${VERSION}"
+
+          IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
+
           echo "Signing image $IMAGE_TO_SIGN"
           cosign sign --key ${{ secrets.COSIGN_KEY }} "$IMAGE_TO_SIGN"
 
 
 
 
+