Transforms key management problem into identity problem
cosign creates a temporary key pair and requests a certificate from fulcio .
The clients gets redirected to authenticate , fulcio issues a short-lived certificate based on the authentication data.
cosign updates the transparency log rekor
After signing, the key pair as well as the certificate are deleted .
Verification still requires trust
Cosign verifies if a valid signature is present
Tell cosign what metadata to accept (who has authenticated where)
Kyverno has support builtin
Bootstrapping the tooling is important
Check the supply chain of required tools
Sign a container image
Keyless sign of a container image
Verify the signature of a container image