diff --git a/.gitea/workflows/docker-builder.yml b/.gitea/workflows/docker-builder.yml
index 235fa60..509ec35 100644
--- a/.gitea/workflows/docker-builder.yml
+++ b/.gitea/workflows/docker-builder.yml
@@ -260,12 +260,17 @@ jobs:
           IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
           echo "Signing image $IMAGE_TO_SIGN"
 
-          # Key nur für Tags nutzen
-          cosign sign --key <(echo "${{ secrets.COSIGN_KEY }}") "$IMAGE_TO_SIGN"
-
-
-
-
+          # --- Key generieren (temp) ---
+          COSIGN_KEY_FILE=$(mktemp)
+          echo "Generating temporary Cosign keypair at $COSIGN_KEY_FILE"
+          cosign generate-key-pair --passphrase "" --key "$COSIGN_KEY_FILE"
 
+          # Optional: Digest nutzen, um Warnung zu vermeiden
+          DIGEST=$(docker buildx imagetools inspect "$IMAGE_TO_SIGN" --raw | jq -r '.manifests[0].digest')
+          echo "Signing digest: $DIGEST"
 
+          # Signieren
+          cosign sign --key "$COSIGN_KEY_FILE" "${IMAGE_TO_SIGN}@${DIGEST}"
 
+          # Cleanup
+          rm -f "$COSIGN_KEY_FILE" "$COSIGN_KEY_FILE.pub"