#!/usr/bin/env bash
set -euo pipefail

for TARBALL in build/bundle/*.tar.gz; do
    cosign sign-blob -y "$TARBALL" \
        --output-signature "$TARBALL.sig" \
        --output-certificate "$TARBALL.cert"
done

for SBOM in build/bundle/*.tar.gz.spdx; do
    cosign sign-blob -y "$SBOM" \
        --output-signature "$SBOM.sig" \
        --output-certificate "$SBOM.cert"
done
