From e7089a4cf2fe248686095b57044cd91b689a0d30 Mon Sep 17 00:00:00 2001
From: Marvin Wendt <marvin.wendt@mail.schwarz>
Date: Thu, 1 Aug 2024 15:47:14 +0200
Subject: [PATCH 1/2] ci: remove signing

---
 .github/workflows/release.yaml |  2 --
 .goreleaser.yaml               | 13 -------------
 2 files changed, 15 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 1da3803f..c9e96b96 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -31,8 +31,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-      - uses: anchore/sbom-action/download-syft@719133684c7d294116626d1344fe64f0d2ff3e9e # v0.15.2
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 6b636e41..a6008a8a 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -35,19 +35,6 @@ source:
 checksum:
   name_template: 'checksums.txt'
 
-signs:
-  - cmd: cosign
-    env:
-      - COSIGN_EXPERIMENTAL=1
-    certificate: '${artifact}.pem'
-    args:
-      - sign-blob
-      - '--output-certificate=${certificate}'
-      - '--output-signature=${signature}'
-      - '${artifact}'
-    artifacts: checksum
-    output: true
-
 archives:
   - format: tar.gz
     name_template: '{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}'

From d73145886fc93afe40cef4499b0d2d643a5ec687 Mon Sep 17 00:00:00 2001
From: Marvin Wendt <marvin.wendt@mail.schwarz>
Date: Thu, 1 Aug 2024 15:48:26 +0200
Subject: [PATCH 2/2] docs: remove signing docs

---
 CONTRIBUTING.md | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 283e6ce9..38a76929 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -83,30 +83,22 @@ Values can then be accessed with template expressions like for example `{{ .Exte
 
 ### Release via GoReleaser
 
-We use for the release of the `go-template` project [GoReleaser](https://goreleaser.com/). `GoReleaser` is a tool that 
+We use for the release of the `go-template` project [GoReleaser](https://goreleaser.com/). `GoReleaser` is a tool that
 helps you to release your projects in a fast and easy way.
 
 Important is the `.goreleaser.yaml` file which is used to configure the release process.
 
-We can start locale builds with adding the `--snapshot` flag to the `goreleaser` command. The `--snapshot` flag will 
+We can start locale builds with adding the `--snapshot` flag to the `goreleaser` command. The `--snapshot` flag will
 disable some of the phases, like creating a release tag and pushing to the remote.
 
 ```bash
 goreleaser build --rm-dist --snapshot
 ```
 
-or even a release with: 
+or even a release with:
+
 ```bash
 goreleaser release --snapshot --rm-dist
 ```
 
 Check the great documentation of GoReleaser [here](https://goreleaser.com/intro/) for further information.
-
-#### Cosign and Syft
-
-During the release process we use `cosign` to keyless sign the release artifacts.
-
-On top of that, we use `syft` to generate a Software Bill of Materials (SBOM) from our go modules.
-
-Check the docs for [`syft`](https://github.com/anchore/syft) and [`cosign`](https://github.com/sigstore/cosign) 
-for further information.