diff --git a/.gitea/workflows/docker-builder.yml b/.gitea/workflows/docker-builder.yml
index e4a1cdb..cca7922 100644
--- a/.gitea/workflows/docker-builder.yml
+++ b/.gitea/workflows/docker-builder.yml
@@ -252,11 +252,13 @@ jobs:
         if: env.IS_TAG == 'true'
         shell: bash
         run: |
-          echo "== Signing image =="
+          set -euo pipefail
           IMAGE_NAME="${REGISTRY_HOST}/${IMAGE_BASE}"
-          VERSION="$VERSION"  # kommt vom Detect version Step
-
-          echo "Signing image ${IMAGE_NAME}:${VERSION}"
-          cosign sign --key ${{ secrets.COSIGN_KEY }} "${IMAGE_NAME}:${VERSION}"
+          # Filter nur das erste Tag aus DOCKER_TAGS (falls mehrere)
+          IMAGE_TO_SIGN=$(echo "$DOCKER_TAGS" | cut -d',' -f1)
+          echo "Signing image $IMAGE_TO_SIGN"
+          cosign sign --key ${{ secrets.COSIGN_KEY }} "$IMAGE_TO_SIGN"
+
+