From 9ad38d941ba4e2ad868a64bfa1e1d89a40faa963 Mon Sep 17 00:00:00 2001
From: pi-farm <info@pi-farm.de>
Date: Tue, 10 Feb 2026 00:16:17 +0100
Subject: [PATCH] fix cosign

---
 .gitea/workflows/docker-builder.yml | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/docker-builder.yml b/.gitea/workflows/docker-builder.yml
index af3c2fb..043d060 100644
--- a/.gitea/workflows/docker-builder.yml
+++ b/.gitea/workflows/docker-builder.yml
@@ -257,11 +257,11 @@ jobs:
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          # Das hier schaltet den OCI 1.1 Modus frei
           COSIGN_EXPERIMENTAL: 1
         run: |
           set -euo pipefail
           
+          # 1. Image Namen festlegen
           if [[ "$IS_TAG" == "true" ]]; then
             IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
           else
@@ -269,13 +269,20 @@ jobs:
           fi
           
           echo "Signing image: $IMAGE_TO_SIGN"
+
+          # 2. Key aus Secret erstellen
           echo "$COSIGN_PRIVATE_KEY" > cosign.key
 
-          # Signieren mit Referrers-Mode
-          # Wenn dein Gitea aktuell genug ist, verschwinden die sha256-Tags damit!
+          # 3. Eine minimale Signing-Config ohne Transparency Log erstellen
+          # Das ersetzt das alte --tlog-upload=false
+          echo '{"version":"v0.1","transparencyLog":{}}' > signing-config.json
+
+          # 4. Signieren mit der neuen Config
+          # Wir nutzen --signing-config anstatt --tlog-upload
           cosign sign --yes --recursive --key cosign.key \
-            --tlog-upload=false \
+            --signing-config signing-config.json \
             --registry-referrers-mode oci-1-1 \
             "${IMAGE_TO_SIGN}"
 
-          rm -f cosign.key
\ No newline at end of file
+          # 5. Aufräumen
+          rm -f cosign.key signing-config.json
\ No newline at end of file