add sigstore signature

[deploy]

Author: overheadhunter

.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
     name: Build and Test
     runs-on: ubuntu-latest
     permissions:
-      id-token: write # Required for the attestations step
+      id-token: write # OIDC token for the attestations step
       attestations: write # Required for the attestations step
     outputs:
       sha256: ${{ steps.checksums.outputs.sha256 }}
@@ -67,7 +67,9 @@ jobs:
   deploy-central:
     name: Deploy to Maven Central
     runs-on: ubuntu-latest
-    permissions: {}
+    permissions:
+      id-token: write # OIDC token for sigstore signing
+      contents: read # Required for sigstore signing
     needs: [build]
     if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
     steps:
@@ -99,6 +101,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write # Required for the deploy to GitHub Packages step
+      id-token: write # OIDC token for sigstore signing
+      contents: read # Required for sigstore signing
     needs: [build]
     if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
     steps:

pom.xml

@@ -325,6 +325,19 @@
 							</execution>
 						</executions>
 					</plugin>
+					<plugin>
+						<groupId>dev.sigstore</groupId>
+						<artifactId>sigstore-maven-plugin</artifactId>
+						<version>2.0.0-rc2</version>
+						<executions>
+							<execution>
+								<id>sign</id>
+								<goals>
+									<goal>sign</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
 				</plugins>
 			</build>
 		</profile>