Cosign container image signature is actually done using a public/private key pair signature. This makes the verification process a bit complicated and biased because we then need to find a way to distribute in a none-compromised way the public key...
However, Cosign supports a keyless way of signing images using GitHub OIDC token. See https://docs.sigstore.dev/cosign/signing/overview/#identity-tokens
This makes the verification process straightforward as verifiers will only have to know the GitHub Actions script identity to verify the signatures. We should try to implement this seamless way of doing things.
Cosign container image signature is actually done using a public/private key pair signature. This makes the verification process a bit complicated and biased because we then need to find a way to distribute in a none-compromised way the public key...
However, Cosign supports a keyless way of signing images using GitHub OIDC token. See https://docs.sigstore.dev/cosign/signing/overview/#identity-tokens
This makes the verification process straightforward as verifiers will only have to know the GitHub Actions script identity to verify the signatures. We should try to implement this seamless way of doing things.