add verify instructions

.github/workflows/docker-build-push.yml

@@ -79,24 +79,30 @@ jobs:
           cosign sign \
             --yes \
             --output-certificate crt.pem \
-            --output-signature kwasm-image.sig \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+            --output-signature kwasm.sig \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.workflow_sha }}
       -
         name: prepare assets for upload
         if: runner.os != 'Windows'
         shell: bash
         run: |
-          echo "+++ debug +++"
-          cat crt.pem
-          cat kwasm-image.sig
           mkdir _dist
-          cp crt.pem kwasm-image.sig _dist/
+          cat <<EOF > verify.txt
+          cosign verify \
+              --signature kwasm.sig --certificate crt.pem \
+              --certificate-identity https://github.com/${{ github.workflow_ref }} \
+              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+              --certificate-github-workflow-sha ${{ github.workflow_sha }} \
+              --certificate-github-workflow-repository voigt/kwasm-operator \
+              ghcr.io/voigt/kwasm-operator:${{ github.workflow_sha }}
+          EOF
+          cp crt.pem kwasm.sig verify.txt _dist/
       -
         name: upload binary as GitHub artifact
         if: runner.os != 'Windows'
         uses: actions/upload-artifact@v3
         with:
-          name: kwasm-certs
+          name: kwasm
           path: _dist/
       - 
         name: Configure Git