add verification

tasks/install.yml

@@ -54,7 +54,11 @@
       retries: 5
       delay: 2
 
-# TODO verify checksum with cosign (need to be installed (dependency))
+    - name: Verify Certificate
+      command: "COSIGN_EXPERIMENTAL=1 cosign verify-blob --certificate /tmp/caddy_{{ caddy_version }}_checksums.txt.pem --signature /tmp/caddy_{{ caddy_version }}_checksums.txt.sig /tmp/caddy_{{ caddy_version }}_checksums.txt"
+      register: _caddy_cosign_key_status
+      changed_when: false
+      failed_when: _caddy_cosign_key_status.rc not in (0, 2)
 
     - name: Unpack caddy binary
       unarchive: