I designed a system using Sigstore where the signing key is in a secret store, and the CI shells out to the cosign CLI to perform the signing. Is this an antipattern?
For verification, did you use the policy controller in kubernetes? Or are you manually performing the verification at runtime?
i used OPA in one org, and kyverno in another for verifying (reused whichever was already in place for other purposes).
our teams always chose to go with cloud kms services for the signing keys, we thought they offered stronger access controls, and less need to revoke / rotate keys when access changes (team member leaves).
For verification, did you use the policy controller in kubernetes? Or are you manually performing the verification at runtime?