Standard for signing, verifying and protecting software
Transforms key management problem into identity problem
cosign creates a temporary key pair and requests a certificate from fulcio .
The clients gets redirected to authenticate , fulcio issues a short-lived certificate based on the authentication data.
cosign updates the transparency log rekor
After signing, the key pair as well as the certificate are deleted .
</span>
Verification still requires trust
Cosign verifies if a valid signature is present
Tell cosign what metadata to accept (who has authenticated where)
Kyverno has support builtin
Bootstrapping the tooling is important
Check the supply chain of required tools