diff --git a/.gitea/workflows/docker-builder.yml b/.gitea/workflows/docker-builder.yml
index b998a30..235fa60 100644
--- a/.gitea/workflows/docker-builder.yml
+++ b/.gitea/workflows/docker-builder.yml
@@ -252,18 +252,17 @@ jobs:
           cosign version
 
       - name: Sign image
+        if: env.IS_TAG == 'true'
         shell: bash
         run: |
           set -euo pipefail
 
           IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
-
           echo "Signing image $IMAGE_TO_SIGN"
 
-          # Cosign login falls nötig
-          export COSIGN_PASSWORD="${{ secrets.COSIGN_KEY }}"
-          
-          cosign sign --key <(echo "$COSIGN_PASSWORD") "$IMAGE_TO_SIGN"
+          # Key nur für Tags nutzen
+          cosign sign --key <(echo "${{ secrets.COSIGN_KEY }}") "$IMAGE_TO_SIGN"
+